[Git][security-tracker-team/security-tracker][master] 2 commits: Old llhttp parser issues: Add links to PoCs.

Guilhem Moulin (@guilhem) Tue, 08 Aug 2023 11:28:17 -0700


Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
49de627d by Guilhem Moulin at 2023-08-08T20:27:45+02:00
Old llhttp parser issues: Add links to PoCs.

These issues are about llhttp, which nodejs embeds since 12.x, but
llhttp is merely a “port of http_parser to llparse”.

Older nodejs embeds http_parser instead, which appears to be vulnerable
to (at least some of) the same PoCs.  Need to evaluate further and file
new CVEs against http_parser/nodejs&lt;12.

- - - - -
b84a2d74 by Guilhem Moulin at 2023-08-08T20:27:46+02:00
CVE-2023-30589/nodejs: Mark as not-affected for buster.

For consistency with CVE-2021-22959, CVE-2021-22960, CVE-2022-3221[345],
CVE-2022-35256.

The reporter&#39;s PoC is reproducible with buster&#39;s nodejs, but that one
embeds http_parser not llhttp so a separate CVE ID will be needed for
it.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -12854,6 +12854,7 @@ CVE-2023-30590
        NOTE: 
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
 CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not 
strictly ...)
        - nodejs <unfixed> (bug #1039990)
+       [buster] - nodejs <not-affected> (llhttp dependency/embedding 
introduced in 12.x)
        - llhttp <itp> (bug #977716)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
        NOTE: https://hackerone.com/reports/2001873
@@ -79015,6 +79016,7 @@ CVE-2022-35256 (The llhttp parser in the http module in 
Node v18.7.0 does not co
        [buster] - nodejs <not-affected> (llhttp dependency/embedding 
introduced in 12.x)
        - llhttp <itp> (bug #977716)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
+       NOTE: https://hackerone.com/reports/1888760
        NOTE: 
https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 
(main)
        NOTE: 
https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 
(v14.20.1)
 CVE-2022-35255 (A weak randomness in WebCrypto keygen vulnerability exists in 
Node.js  ...)
@@ -87362,6 +87364,7 @@ CVE-2022-32215 (The llhttp parser <v14.20.1, <v16.17.1 
and <v18.9.1 in the http
        [buster] - nodejs <not-affected> (llhttp dependency/embedding 
introduced in 12.x)
        - llhttp <itp> (bug #977716)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-incorrect-parsing-of-multi-line-transfer-encoding-medium-cve-2022-32215
+       NOTE: https://hackerone.com/reports/1630667
        NOTE: 
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd 
(v14.x)
        NOTE: 
https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a 
(main)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-multi-line-transfer-encoding-medium-improper-fix-for-cve-2022-32215
@@ -87371,6 +87374,7 @@ CVE-2022-32214 (The llhttp parser <v14.20.1, <v16.17.1 
and <v18.9.1 in the http
        [buster] - nodejs <not-affected> (llhttp dependency/embedding 
introduced in 12.x)
        - llhttp <itp> (bug #977716)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-improper-delimiting-of-header-fields-medium-cve-2022-32214
+       NOTE: https://hackerone.com/reports/1630669
        NOTE: 
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd 
(v14.x)
        NOTE: 
https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a 
(main)
 CVE-2022-32213 (The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the 
http module ...)
@@ -87379,7 +87383,9 @@ CVE-2022-32213 (The llhttp parser <v14.20.1, <v16.17.1 
and <v18.9.1 in the http
        [buster] - nodejs <not-affected> (llhttp dependency/embedding 
introduced in 12.x)
        - llhttp <itp> (bug #977716)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-flawed-parsing-of-transfer-encoding-medium-cve-2022-32213
+       NOTE: https://hackerone.com/reports/1630668
        NOTE: 
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd 
(v14.x)
+       NOTE: 
https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 
(v14.x)
        NOTE: 
https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a 
(main)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#cve-2022-32213-bypass-via-obs-fold-mechanic-medium-cve-2022-32213
 CVE-2022-32212 (A OS Command Injection vulnerability exists in Node.js 
versions <14.20 ...)
@@ -183322,6 +183328,8 @@ CVE-2021-22960 (The parse function in llhttp < 2.1.4 
and < 6.0.6. ignores chunk
        - nodejs 12.22.7~dfsg-1
        [buster] - nodejs <not-affected> (llhttp dependency/embedding 
introduced in 12.x)
        [stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by 
security support)
+       NOTE: https://hackerone.com/reports/1238099
+       NOTE: 
https://github.com/nodejs/node/commit/657fb9a77ca36f729da484f55899dad7a13759b0 
(v14.x)
        NOTE: 
https://github.com/nodejs/node/commit/21a2e554e3eaa325abbdb28f366928d0ccc0a0f0 
(v12.22.7)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-when-parsing-the-body-medium-cve-2021-22960
 CVE-2021-22959 (The parser in accepts requests with a space (SP) right after 
the heade ...)
@@ -183329,6 +183337,8 @@ CVE-2021-22959 (The parser in accepts requests with a 
space (SP) right after the
        - nodejs 12.22.7~dfsg-1
        [buster] - nodejs <not-affected> (llhttp dependency/embedding 
introduced in 12.x)
        [stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by 
security support)
+       NOTE: https://hackerone.com/reports/1238099
+       NOTE: https://hackerone.com/reports/1238709
        NOTE: 
https://github.com/nodejs/node/commit/21a2e554e3eaa325abbdb28f366928d0ccc0a0f0 
(v12.22.7)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-due-to-spaced-in-headers-medium-cve-2021-22959
 CVE-2021-22958 (A Server-Side Request Forgery vulnerability was found in 
concrete5 < 8 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d2669d89e8908adc6fc95dc664edcc86e8693842...b84a2d74e6f054e3ae21ef6ce21ee92c61028d04

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d2669d89e8908adc6fc95dc664edcc86e8693842...b84a2d74e6f054e3ae21ef6ce21ee92c61028d04
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Old llhttp parser issues: Add links to PoCs.

Reply via email to