CVE-2022-35256
high
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
8.0
Description
Important: nodejs security update
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata โ Red Hat Inc. ยท View original โ ยท Open-Errata-API
Description nodejs: HTTP Request Smuggling due to incorrect parsing of header fields CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 8nodejs:16-8060020221007164523.ad008a3aRHSA-2022:69642022-10-17T00:00:00Z Red Hat Enterprise Linux 8nodejs:18-8070020221004121421.bd1311edRHSA-2022:78212022-11-08T00:00:00Zโฆ
Description
nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:16-8060020221007164523.ad008a3a | RHSA-2022:6964 | 2022-10-17T00:00:00Z |
| Red Hat Enterprise Linux 8 | nodejs:18-8070020221004121421.bd1311ed | RHSA-2022:7821 | 2022-11-08T00:00:00Z |
| Red Hat Enterprise Linux 8 | nodejs:14-8070020221020110846.bd1311ed | RHSA-2022:7830 | 2022-11-08T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Extended Update Support | nodejs:14-8040020230306170312.522a0ee4 | RHSA-2023:1533 | 2023-03-30T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Extended Update Support | nodejs:14-8060020230306170237.ad008a3a | RHSA-2023:1742 | 2023-04-12T00:00:00Z |
| Red Hat Enterprise Linux 9 | nodejs-1:16.17.1-1.el9_0 | RHSA-2022:6963 | 2022-10-18T00:00:00Z |
| Red Hat Enterprise Linux 9 | nodejs-1:16.18.1-3.el9_1 | RHSA-2023:0321 | 2023-01-23T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs14-nodejs-0:14.20.1-2.el7 | RHSA-2022:7044 | 2022-10-19T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 9 | nodejs:18/nodejs | Not affected |
Apply commands
Apply RHSA-2022:6964 for Red Hat Enterprise Linux 8
yum update -y nodejs:16
# or:
dnf upgrade -y nodejs:16Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 9 | Not affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | nodejs-docs-16.17.1-1.el9_0.noarch.rpm |
| 8 | Fixed | nodejs-16.17.1-1.module_el8.6.0+3328+2e4711d7.aarch64.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 18.10.0+dfsg-1 |
| sid | Fixed | 0 |
| forky | Fixed | 0 |
| bullseye | Fixed | 12.22.12~dfsg-1~deb11u3 |
| bookworm | Fixed | 18.10.0+dfsg-1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
References
- https://access.redhat.com/errata/RHSA-2022:6963
- https://access.redhat.com/errata/RHSA-2023:0321
- https://errata.rockylinux.org/RLSA-2022:7830
- https://errata.rockylinux.org/RLSA-2022:7821
- https://www.suse.com/security/cve/CVE-2022-35256.html
- https://errata.rockylinux.org/RLSA-2022:6964
- https://errata.rockylinux.org/RLSA-2023:0321
- https://errata.rockylinux.org/RLSA-2022:6963
- https://security-tracker.debian.org/tracker/CVE-2022-35256
- https://access.redhat.com/errata/RHSA-2022:7821
- https://bugzilla.redhat.com/2130517
- https://bugzilla.redhat.com/2130518
- https://errata.almalinux.org/8/ALSA-2022-7821.html
- https://access.redhat.com/errata/RHSA-2022:6964
- https://errata.almalinux.org/8/ALSA-2022-6964.html
- https://errata.almalinux.org/9/ALSA-2022-6963.html
- https://bugzilla.redhat.com/2066009
- https://bugzilla.redhat.com/2134609
- https://bugzilla.redhat.com/2140911
- https://errata.almalinux.org/9/ALSA-2023-0321.html
- https://access.redhat.com/errata/RHSA-2022:7830
- https://bugzilla.redhat.com/2040839
- https://bugzilla.redhat.com/2040846
- https://bugzilla.redhat.com/2040856
- https://bugzilla.redhat.com/2040862
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.