CVE-2022-32215 — MEDIUM (6.5)

Q: What is CVE-2022-32215?

CVE-2022-32215 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

Q: How severe is CVE-2022-32215?

CVE-2022-32215 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-32215?

Check the references section above for vendor advisories and patch information. Affected products include: Llhttp Llhttp, Nodejs Node.Js, Fedoraproject Fedora, Siemens Sinec Ins, Debian Debian Linux.

Vulnerability Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Llhttp	Llhttp	>= 14.0.0, < 14.20.1
Nodejs	Node.Js	>= 14.0.0, <= 14.14.0
Fedoraproject	Fedora	35
Siemens	Sinec Ins	1.0
Debian	Debian Linux	11.0
Stormshield	Stormshield Management Center	< 3.3.2

Related Weaknesses (CWE)

CWE-444

References

https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfPatchThird Party Advisory
https://hackerone.com/reports/1501679ExploitIssue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/PatchVendor Advisory
https://www.debian.org/security/2023/dsa-5326Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfPatchThird Party Advisory
https://hackerone.com/reports/1501679ExploitIssue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/PatchVendor Advisory
https://www.debian.org/security/2023/dsa-5326Third Party Advisory

FAQ

What is CVE-2022-32215?

CVE-2022-32215 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

How severe is CVE-2022-32215?

CVE-2022-32215 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-32215?

Check the references section above for vendor advisories and patch information. Affected products include: Llhttp Llhttp, Nodejs Node.Js, Fedoraproject Fedora, Siemens Sinec Ins, Debian Debian Linux.