Debian 11 Bullseye DLA-3886-1 Critical: Node.js HTTP Issues
debian lts
September 14, 2024
Node.js a JavaScript runtime environment that executes JavaScript code outside a web browser (server side) was vulnerable
Summary
CVE-2023-30589
The llhttp parser in the http module in Node does not strictly
use the CRLF sequence to delimit HTTP requests. This can lead to
HTTP Request Smuggling (HRS). The CR character (without LF) is
sufficient to delimit HTTP header fields in the llhttp parser.
According to RFC7230 section 3, only the CRLF sequence should
delimit each header-field.
CVE-2023-30590
The generateKeys() API function returned from
crypto.createDiffieHellman() only generates missing (or outdated)
keys, that is, it only generates a private key if none has been
set yet, but the function is also needed to compute the
corresponding public key after calling setPrivateKey(). However,
the documentation says this API call: "Generates private and
public Diffie-Hellman key values". The documented behavior is very
different from the actual behavior, and this difference could
easily lead to security issues.
CVE-2023-32559
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: nodejs
Version: 12.22.12~dfsg-1~deb11u5
CVE ID: CVE-2023-30589 CVE-2023-30590 CVE-2023-32559 CVE-2023-46809
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!