CVE-2022-35256
MEDIUM6.5EPSS 3.7%發布日:2022/12/5修改日:2025/12/3
也稱為:ALPINE-CVE-2022-35256
描述
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
受影響套件(4)
- Alpine/nodejsfrom 0, < 14.20.1-r0
- Bitnami/node>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
- Bitnami/node-min>= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
- Debian/nodejsfrom 0, < 12.22.12~dfsg-1~deb11u3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
參考連結(6)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2022-35256
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-35256
- WEBhttps://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- WEBhttps://hackerone.com/reports/1675191
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-35256
- WEBhttps://www.debian.org/security/2023/dsa-5326