CVE-2020-8201 — HIGH (7.4) — White Hats Nepal

Q: How severe is CVE-2020-8201?

CVE-2020-8201 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-8201?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Opensuse Leap, Fedoraproject Fedora.

Vulnerability Description

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Nodejs	Node.Js	>= 12.0.0, < 12.18.4
Opensuse	Leap	15.2
Fedoraproject	Fedora	33

Related Weaknesses (CWE)

CWE-444

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.htmlThird Party Advisory
https://hackerone.com/reports/922597Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/Vendor Advisory
https://security.gentoo.org/glsa/202101-07Third Party Advisory
https://security.netapp.com/advisory/ntap-20201009-0004/Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.htmlThird Party Advisory
https://hackerone.com/reports/922597Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/Vendor Advisory
https://security.gentoo.org/glsa/202101-07Third Party Advisory
https://security.netapp.com/advisory/ntap-20201009-0004/Third Party Advisory

FAQ

What is CVE-2020-8201?

CVE-2020-8201 is a vulnerability with a CVSS score of 7.4 (HIGH). Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, ...

How severe is CVE-2020-8201?

CVE-2020-8201 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-8201?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Opensuse Leap, Fedoraproject Fedora.