Vulnerability Description
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | >= 6.0.0, <= 6.8.1 |
| Suse | Suse Enterprise Storage | 4 |
| Suse | Suse Linux Enterprise Server | 12 |
| Suse | Suse Openstack Cloud | 7 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2019:1821Third Party Advisory
- https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/PatchVendor Advisory
- https://security.gentoo.org/glsa/202003-48Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:1821Third Party Advisory
- https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/PatchVendor Advisory
- https://security.gentoo.org/glsa/202003-48Third Party Advisory
FAQ
What is CVE-2018-12116?
CVE-2018-12116 is a vulnerability with a CVSS score of 7.5 (HIGH). Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, th...
How severe is CVE-2018-12116?
CVE-2018-12116 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-12116?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Suse Suse Enterprise Storage, Suse Suse Linux Enterprise Server, Suse Suse Openstack Cloud.