[Git][security-tracker-team/security-tracker][master] 2 commits: Old llhttp parser issues: Add links to PoCs.

Guilhem Moulin (@guilhem) guilhem at debian.org
Tue Aug 8 19:28:08 BST 2023 


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
49de627d by Guilhem Moulin at 2023-08-08T20:27:45+02:00
Old llhttp parser issues: Add links to PoCs.

These issues are about llhttp, which nodejs embeds since 12.x, but
llhttp is merely a “port of http_parser to llparse”.

Older nodejs embeds http_parser instead, which appears to be vulnerable
to (at least some of) the same PoCs.  Need to evaluate further and file
new CVEs against http_parser/nodejs<12.

- - - - -
b84a2d74 by Guilhem Moulin at 2023-08-08T20:27:46+02:00
CVE-2023-30589/nodejs: Mark as not-affected for buster.

For consistency with CVE-2021-22959, CVE-2021-22960, CVE-2022-3221[345],
CVE-2022-35256.

The reporter's PoC is reproducible with buster's nodejs, but that one
embeds http_parser not llhttp so a separate CVE ID will be needed for
it.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -12854,6 +12854,7 @@ CVE-2023-30590
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
 CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...)
 	- nodejs <unfixed> (bug #1039990)
+	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
 	- llhttp <itp> (bug #977716)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
 	NOTE: https://hackerone.com/reports/2001873
@@ -79015,6 +79016,7 @@ CVE-2022-35256 (The llhttp parser in the http module in Node v18.7.0 does not co
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
 	- llhttp <itp> (bug #977716)
 	NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
+	NOTE: https://hackerone.com/reports/1888760
 	NOTE: https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 (main)
 	NOTE: https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.20.1)
 CVE-2022-35255 (A weak randomness in WebCrypto keygen vulnerability exists in Node.js  ...)
@@ -87362,6 +87364,7 @@ CVE-2022-32215 (The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
 	- llhttp <itp> (bug #977716)
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-incorrect-parsing-of-multi-line-transfer-encoding-medium-cve-2022-32215
+	NOTE: https://hackerone.com/reports/1630667
 	NOTE: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x)
 	NOTE: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main)
 	NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-multi-line-transfer-encoding-medium-improper-fix-for-cve-2022-32215
@@ -87371,6 +87374,7 @@ CVE-2022-32214 (The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
 	- llhttp <itp> (bug #977716)
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-improper-delimiting-of-header-fields-medium-cve-2022-32214
+	NOTE: https://hackerone.com/reports/1630669
 	NOTE: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x)
 	NOTE: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main)
 CVE-2022-32213 (The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...)
@@ -87379,7 +87383,9 @@ CVE-2022-32213 (The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
 	- llhttp <itp> (bug #977716)
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-flawed-parsing-of-transfer-encoding-medium-cve-2022-32213
+	NOTE: https://hackerone.com/reports/1630668
 	NOTE: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x)
+	NOTE: https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.x)
 	NOTE: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main)
 	NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#cve-2022-32213-bypass-via-obs-fold-mechanic-medium-cve-2022-32213
 CVE-2022-32212 (A OS Command Injection vulnerability exists in Node.js versions <14.20 ...)
@@ -183322,6 +183328,8 @@ CVE-2021-22960 (The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk
 	- nodejs 12.22.7~dfsg-1
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
 	[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)
+	NOTE: https://hackerone.com/reports/1238099
+	NOTE: https://github.com/nodejs/node/commit/657fb9a77ca36f729da484f55899dad7a13759b0 (v14.x)
 	NOTE: https://github.com/nodejs/node/commit/21a2e554e3eaa325abbdb28f366928d0ccc0a0f0 (v12.22.7)
 	NOTE: https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-when-parsing-the-body-medium-cve-2021-22960
 CVE-2021-22959 (The parser in accepts requests with a space (SP) right after the heade ...)
@@ -183329,6 +183337,8 @@ CVE-2021-22959 (The parser in accepts requests with a space (SP) right after the
 	- nodejs 12.22.7~dfsg-1
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
 	[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)
+	NOTE: https://hackerone.com/reports/1238099
+	NOTE: https://hackerone.com/reports/1238709
 	NOTE: https://github.com/nodejs/node/commit/21a2e554e3eaa325abbdb28f366928d0ccc0a0f0 (v12.22.7)
 	NOTE: https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-due-to-spaced-in-headers-medium-cve-2021-22959
 CVE-2021-22958 (A Server-Side Request Forgery vulnerability was found in concrete5 < 8 ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d2669d89e8908adc6fc95dc664edcc86e8693842...b84a2d74e6f054e3ae21ef6ce21ee92c61028d04

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d2669d89e8908adc6fc95dc664edcc86e8693842...b84a2d74e6f054e3ae21ef6ce21ee92c61028d04
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230808/a483d75e/attachment.htm>

More information about the debian-security-tracker-commits mailing list