ID

VAR-202210-0043


CVE

CVE-2022-35256


TITLE

Node.js Foundation  of  Node.js  in products from other multiple vendors  HTTP  Request Smuggling Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-022575

DESCRIPTION

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. Node.js Foundation of Node.js For products from other vendors, HTTP There is a vulnerability related to request smuggling.Information may be obtained and information may be tampered with. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-nodejs14-nodejs security update Advisory ID: RHSA-2022:7044-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2022:7044 Issue date: 2022-10-19 CVE Names: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2021-44906 CVE-2022-21824 CVE-2022-35256 ==================================================================== 1. Summary: An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531) * nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532) * nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533) * minimist: prototype pollution (CVE-2021-44906) * nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256) * nodejs: Prototype pollution via console.table properties (CVE-2022-21824) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names 2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection 2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields 2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties 2066009 - CVE-2021-44906 minimist: prototype pollution 2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-nodejs14-nodejs-14.20.1-2.el7.src.rpm noarch: rh-nodejs14-nodejs-docs-14.20.1-2.el7.noarch.rpm ppc64le: rh-nodejs14-nodejs-14.20.1-2.el7.ppc64le.rpm rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.ppc64le.rpm rh-nodejs14-nodejs-devel-14.20.1-2.el7.ppc64le.rpm rh-nodejs14-npm-6.14.17-14.20.1.2.el7.ppc64le.rpm s390x: rh-nodejs14-nodejs-14.20.1-2.el7.s390x.rpm rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.s390x.rpm rh-nodejs14-nodejs-devel-14.20.1-2.el7.s390x.rpm rh-nodejs14-npm-6.14.17-14.20.1.2.el7.s390x.rpm x86_64: rh-nodejs14-nodejs-14.20.1-2.el7.x86_64.rpm rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.x86_64.rpm rh-nodejs14-nodejs-devel-14.20.1-2.el7.x86_64.rpm rh-nodejs14-npm-6.14.17-14.20.1.2.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-nodejs14-nodejs-14.20.1-2.el7.src.rpm noarch: rh-nodejs14-nodejs-docs-14.20.1-2.el7.noarch.rpm x86_64: rh-nodejs14-nodejs-14.20.1-2.el7.x86_64.rpm rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.x86_64.rpm rh-nodejs14-nodejs-devel-14.20.1-2.el7.x86_64.rpm rh-nodejs14-npm-6.14.17-14.20.1.2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-44531 https://access.redhat.com/security/cve/CVE-2021-44532 https://access.redhat.com/security/cve/CVE-2021-44533 https://access.redhat.com/security/cve/CVE-2021-44906 https://access.redhat.com/security/cve/CVE-2022-21824 https://access.redhat.com/security/cve/CVE-2022-35256 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY1Bkk9zjgjWX9erEAQh9DQ//dSOPbtnYD3f9AvLUnQpnJb7OyGisGpPW von8hNiTCD5J3FP2DlY3/wGX9H1g2BXmuwpojS/sh17E2+sHldBTMk5kxT8bkBkB ZWnmIwqA1PfjAO4FEc7MtePJXsqCrBne63Bpo7k3ALc4hHtP2BEMkjA4ZOJJDl82 ydj74PPr0uVuZAn0jcLKsIPq1OmUW9jNuzY0p5uqhXKVP4XfFWfpi2dd34Nej+dv RbSABk5jZ0R6bQlPOdG4bI8vevvmhkeAqkcWgHWBZ9n34SFdiGKFdxUI3+SM2zvl tB7zuDc9rsLnF7DLZq3HVG3eOVdxJ1MKwap89iQrmQCy1kz4iq3hZbAKJHIjLTEy gWpwYI9nCamIsNwYB1pUM5RexkKTPKDRttZh9hff2RO9QCvdnecw3386blkhsb8s XJMAywflJeBrTnMPQ9tSNx60CgGI8JkU40RtnfwwS5yS1upd56jYbL+W4CzbZmzd bj48/l+fl3Ny0bGZ6QAG0ZWrH0eTs6hL/xYKFu2Z7jDteP9ITE1kSKeISjE/G0Rb Hjjp6sfEiR07PEJx2/Lne+o5JvCGu7wviT2SnJIfjX9C056CtO4IjRXEqdPqZqYq 3+T1AOLM1M2vu55WagYhnTtfGefIj5EScstARXZjz5pF0dQyhNZNO+p/S0coNUWz y4v1DFKlYtA=JvnP -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5326-1 security@debian.org https://www.debian.org/security/ Aron Xu January 24, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nodejs CVE ID : CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 CVE-2022-35255 CVE-2022-35256 CVE-2022-43548 Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup. For the stable distribution (bullseye), these problems have been fixed in version 12.22.12~dfsg-1~deb11u3. We recommend that you upgrade your nodejs packages. For the detailed security status of nodejs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nodejs Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPQNhIACgkQEMKTtsN8 TjaRmA/+KDFkQcd2sE/eAAx9cVikICNkfu7uIVKHpeDH9o5oq5M2nj4zHJCeAArp WblguyZwEtqzAOO2WesbrmwfXLmglhrNZwRMOrsbu63JxSnecp7qcMwR8A4JWdmd Txb4aZr6Prmwq6fT0G3K6oV8Hw+OeqYA/RZKenxtkBf/jdzVahGJHJ/NrFKKWVQW xbqHwCkP7uUlm+5UR5XzNrodTRCQYHJvUmDUrjEOjM6x+sqYirKWiERN0A14kVn9 0Ufrw6+Z2tKhdKFZfU1BtDthhlH/nybz0h3aHsk+E5/vx20WAURiCEDVi7nf8+Rf EtbCxaqV+/xVoPmXStHY/ogCo8CgRVsyYUIemgi4q5LwVx/Oqjm2CJ/xCwOKh0E2 idXLJfLSpxxBe598MUn9iKbnFFCN9DQZXf7BYs3djtn8ALFVBSHZSF1QXFoFQ86w Y9xGhBQzfEgCoEW7H4S30ZQ+Gz+ZnOMCSH+MKIMtSpqbc7wLtrKf839DO6Uux7B7 u0WR3lZlsihi92QKq9X/VRkyy8ZiA2TYy3IE+KDKlXDHKls9FR9BUClYe9L8RiRu boP8KPFUHUsSVaTzkufMStdKkcXCqgj/6KhJL6E9ZunTBpTmqx1Ty7/N2qktLFnH ujrffzV3rCE6eIg7ps8OdZbjCfqUqmQk9/pV6ZDjymqjZ1LKZDs\xfeRn -----END PGP SIGNATURE----- . 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. The following packages have been upgraded to a later upstream version: nodejs (16.18.1), nodejs-nodemon (2.0.20). Bug Fix(es): * nodejs: Packaged version of undici does not fit with declared version. [rhel-9] (BZ#2151627) 4. ========================================================================== Ubuntu Security Notice USN-6491-1 November 21, 2023 nodejs vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in Node.js. Software Description: - nodejs: An open-source, cross-platform JavaScript runtime environment. Details: Axel Chong discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2022-32212) Zeyu Zhang discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-32213, CVE-2022-32214, CVE-2022-32215) It was discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-35256) It was discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-43548) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: libnode-dev 12.22.9~dfsg-1ubuntu3.2 libnode72 12.22.9~dfsg-1ubuntu3.2 nodejs 12.22.9~dfsg-1ubuntu3.2 nodejs-doc 12.22.9~dfsg-1ubuntu3.2 Ubuntu 20.04 LTS: libnode-dev 10.19.0~dfsg-3ubuntu1.3 libnode64 10.19.0~dfsg-3ubuntu1.3 nodejs 10.19.0~dfsg-3ubuntu1.3 nodejs-doc 10.19.0~dfsg-3ubuntu1.3 Ubuntu 18.04 LTS (Available with Ubuntu Pro): nodejs 8.10.0~dfsg-2ubuntu0.4+esm4 nodejs-dev 8.10.0~dfsg-2ubuntu0.4+esm4 nodejs-doc 8.10.0~dfsg-2ubuntu0.4+esm4 In general, a standard system update will make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Node.js: Multiple Vulnerabilities Date: May 08, 2024 Bugs: #772422, #781704, #800986, #805053, #807775, #811273, #817938, #831037, #835615, #857111, #865627, #872692, #879617, #918086, #918614 ID: 202405-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in Node.js. Background ========= Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. Affected packages ================ Package Vulnerable Unaffected --------------- ------------ ------------ net-libs/nodejs < 16.20.2 >= 16.20.2 Description ========== Multiple vulnerabilities have been discovered in Node.js. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Node.js 20 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/nodejs-20.5.1" All Node.js 18 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/nodejs-18.17.1" All Node.js 16 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/nodejs-16.20.2" References ========= [ 1 ] CVE-2020-7774 https://nvd.nist.gov/vuln/detail/CVE-2020-7774 [ 2 ] CVE-2021-3672 https://nvd.nist.gov/vuln/detail/CVE-2021-3672 [ 3 ] CVE-2021-22883 https://nvd.nist.gov/vuln/detail/CVE-2021-22883 [ 4 ] CVE-2021-22884 https://nvd.nist.gov/vuln/detail/CVE-2021-22884 [ 5 ] CVE-2021-22918 https://nvd.nist.gov/vuln/detail/CVE-2021-22918 [ 6 ] CVE-2021-22930 https://nvd.nist.gov/vuln/detail/CVE-2021-22930 [ 7 ] CVE-2021-22931 https://nvd.nist.gov/vuln/detail/CVE-2021-22931 [ 8 ] CVE-2021-22939 https://nvd.nist.gov/vuln/detail/CVE-2021-22939 [ 9 ] CVE-2021-22940 https://nvd.nist.gov/vuln/detail/CVE-2021-22940 [ 10 ] CVE-2021-22959 https://nvd.nist.gov/vuln/detail/CVE-2021-22959 [ 11 ] CVE-2021-22960 https://nvd.nist.gov/vuln/detail/CVE-2021-22960 [ 12 ] CVE-2021-37701 https://nvd.nist.gov/vuln/detail/CVE-2021-37701 [ 13 ] CVE-2021-37712 https://nvd.nist.gov/vuln/detail/CVE-2021-37712 [ 14 ] CVE-2021-39134 https://nvd.nist.gov/vuln/detail/CVE-2021-39134 [ 15 ] CVE-2021-39135 https://nvd.nist.gov/vuln/detail/CVE-2021-39135 [ 16 ] CVE-2021-44531 https://nvd.nist.gov/vuln/detail/CVE-2021-44531 [ 17 ] CVE-2021-44532 https://nvd.nist.gov/vuln/detail/CVE-2021-44532 [ 18 ] CVE-2021-44533 https://nvd.nist.gov/vuln/detail/CVE-2021-44533 [ 19 ] CVE-2022-0778 https://nvd.nist.gov/vuln/detail/CVE-2022-0778 [ 20 ] CVE-2022-3602 https://nvd.nist.gov/vuln/detail/CVE-2022-3602 [ 21 ] CVE-2022-3786 https://nvd.nist.gov/vuln/detail/CVE-2022-3786 [ 22 ] CVE-2022-21824 https://nvd.nist.gov/vuln/detail/CVE-2022-21824 [ 23 ] CVE-2022-32212 https://nvd.nist.gov/vuln/detail/CVE-2022-32212 [ 24 ] CVE-2022-32213 https://nvd.nist.gov/vuln/detail/CVE-2022-32213 [ 25 ] CVE-2022-32214 https://nvd.nist.gov/vuln/detail/CVE-2022-32214 [ 26 ] CVE-2022-32215 https://nvd.nist.gov/vuln/detail/CVE-2022-32215 [ 27 ] CVE-2022-32222 https://nvd.nist.gov/vuln/detail/CVE-2022-32222 [ 28 ] CVE-2022-35255 https://nvd.nist.gov/vuln/detail/CVE-2022-35255 [ 29 ] CVE-2022-35256 https://nvd.nist.gov/vuln/detail/CVE-2022-35256 [ 30 ] CVE-2022-35948 https://nvd.nist.gov/vuln/detail/CVE-2022-35948 [ 31 ] CVE-2022-35949 https://nvd.nist.gov/vuln/detail/CVE-2022-35949 [ 32 ] CVE-2022-43548 https://nvd.nist.gov/vuln/detail/CVE-2022-43548 [ 33 ] CVE-2023-30581 https://nvd.nist.gov/vuln/detail/CVE-2023-30581 [ 34 ] CVE-2023-30582 https://nvd.nist.gov/vuln/detail/CVE-2023-30582 [ 35 ] CVE-2023-30583 https://nvd.nist.gov/vuln/detail/CVE-2023-30583 [ 36 ] CVE-2023-30584 https://nvd.nist.gov/vuln/detail/CVE-2023-30584 [ 37 ] CVE-2023-30586 https://nvd.nist.gov/vuln/detail/CVE-2023-30586 [ 38 ] CVE-2023-30587 https://nvd.nist.gov/vuln/detail/CVE-2023-30587 [ 39 ] CVE-2023-30588 https://nvd.nist.gov/vuln/detail/CVE-2023-30588 [ 40 ] CVE-2023-30589 https://nvd.nist.gov/vuln/detail/CVE-2023-30589 [ 41 ] CVE-2023-30590 https://nvd.nist.gov/vuln/detail/CVE-2023-30590 [ 42 ] CVE-2023-32002 https://nvd.nist.gov/vuln/detail/CVE-2023-32002 [ 43 ] CVE-2023-32003 https://nvd.nist.gov/vuln/detail/CVE-2023-32003 [ 44 ] CVE-2023-32004 https://nvd.nist.gov/vuln/detail/CVE-2023-32004 [ 45 ] CVE-2023-32005 https://nvd.nist.gov/vuln/detail/CVE-2023-32005 [ 46 ] CVE-2023-32006 https://nvd.nist.gov/vuln/detail/CVE-2023-32006 [ 47 ] CVE-2023-32558 https://nvd.nist.gov/vuln/detail/CVE-2023-32558 [ 48 ] CVE-2023-32559 https://nvd.nist.gov/vuln/detail/CVE-2023-32559 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-29 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.52

sources: NVD: CVE-2022-35256 // JVNDB: JVNDB-2022-022575 // VULMON: CVE-2022-35256 // PACKETSTORM: 169408 // PACKETSTORM: 169437 // PACKETSTORM: 171839 // PACKETSTORM: 171666 // PACKETSTORM: 169781 // PACKETSTORM: 170727 // PACKETSTORM: 170658 // PACKETSTORM: 175817 // PACKETSTORM: 178512

AFFECTED PRODUCTS

vendor:nodejsmodel:node.jsscope:ltversion:16.17.1

Trust: 1.0

vendor:siemensmodel:sinec insscope:eqversion:1.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:18.9.1

Trust: 1.0

vendor:llhttpmodel:llhttpscope:ltversion:6.0.10

Trust: 1.0

vendor:siemensmodel:sinec insscope:ltversion:1.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:16.0.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:14.20.1

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:18.0.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:14.15.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:16.12.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:11.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:14.14.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:14.0.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:16.13.0

Trust: 1.0

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:node jsmodel:node.jsscope: - version: -

Trust: 0.8

vendor:llhttpmodel:llhttpscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:sinec insscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-022575 // NVD: CVE-2022-35256

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-35256
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-35256
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202210-1266
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-35256
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: CVE-2022-35256
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-022575 // CNNVD: CNNVD-202210-1266 // NVD: CVE-2022-35256

PROBLEMTYPE DATA

problemtype:CWE-444

Trust: 1.0

problemtype:HTTP Request Smuggling (CWE-444) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-022575 // NVD: CVE-2022-35256

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 175817 // CNNVD: CNNVD-202210-1266

TYPE

environmental issue

Trust: 0.6

sources: CNNVD: CNNVD-202210-1266

PATCH

title:Node.js Remediation measures for environmental problem vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=219729

Trust: 0.6

title:Red Hat: url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2022-35256

Trust: 0.1

sources: VULMON: CVE-2022-35256 // CNNVD: CNNVD-202210-1266

EXTERNAL IDS

db:NVDid:CVE-2022-35256

Trust: 4.2

db:HACKERONEid:1675191

Trust: 2.4

db:SIEMENSid:SSA-332410

Trust: 2.4

db:ICS CERTid:ICSA-23-017-03

Trust: 0.8

db:JVNid:JVNVU90782730

Trust: 0.8

db:JVNDBid:JVNDB-2022-022575

Trust: 0.8

db:PACKETSTORMid:169408

Trust: 0.7

db:PACKETSTORMid:169437

Trust: 0.7

db:PACKETSTORMid:169781

Trust: 0.7

db:PACKETSTORMid:170727

Trust: 0.7

db:AUSCERTid:ESB-2022.6632

Trust: 0.6

db:AUSCERTid:ESB-2023.1926

Trust: 0.6

db:AUSCERTid:ESB-2022.5146

Trust: 0.6

db:CNNVDid:CNNVD-202210-1266

Trust: 0.6

db:VULMONid:CVE-2022-35256

Trust: 0.1

db:PACKETSTORMid:171839

Trust: 0.1

db:PACKETSTORMid:171666

Trust: 0.1

db:PACKETSTORMid:170658

Trust: 0.1

db:PACKETSTORMid:175817

Trust: 0.1

db:PACKETSTORMid:178512

Trust: 0.1

sources: VULMON: CVE-2022-35256 // JVNDB: JVNDB-2022-022575 // PACKETSTORM: 169408 // PACKETSTORM: 169437 // PACKETSTORM: 171839 // PACKETSTORM: 171666 // PACKETSTORM: 169781 // PACKETSTORM: 170727 // PACKETSTORM: 170658 // PACKETSTORM: 175817 // PACKETSTORM: 178512 // CNNVD: CNNVD-202210-1266 // NVD: CVE-2022-35256

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf

Trust: 2.4

url:https://hackerone.com/reports/1675191

Trust: 2.4

url:https://www.debian.org/security/2023/dsa-5326

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-35256

Trust: 1.7

url:https://jvn.jp/vu/jvnvu90782730/

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-23-017-03

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2022-35256

Trust: 0.7

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.6

url:https://bugzilla.redhat.com/):

Trust: 0.6

url:https://access.redhat.com/security/team/key/

Trust: 0.6

url:https://access.redhat.com/articles/11258

Trust: 0.6

url:https://access.redhat.com/security/team/contact/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2022-43548

Trust: 0.6

url:https://packetstormsecurity.com/files/170727/debian-security-advisory-5326-1.html

Trust: 0.6

url:https://packetstormsecurity.com/files/169408/red-hat-security-advisory-2022-6963-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.1926

Trust: 0.6

url:https://packetstormsecurity.com/files/169781/red-hat-security-advisory-2022-7830-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5146

Trust: 0.6

url:https://packetstormsecurity.com/files/169437/red-hat-security-advisory-2022-7044-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.6632

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-35256/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-44906

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2021-44532

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-21824

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2021-44531

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2021-44533

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2021-44906

Trust: 0.4

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-35255

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2021-44533

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2021-44531

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2021-44532

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-21824

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-3517

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-3517

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-43548

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-32214

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-32212

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-32215

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2023-23918

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-35065

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-35065

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-24999

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-24999

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-38900

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-4904

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2023-23920

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-25881

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-4904

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-25881

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-38900

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32213

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-35255

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:6963

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:7044

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0235

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:1742

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0235

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:1533

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-23918

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-23920

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:7830

Trust: 0.1

url:https://security-tracker.debian.org/tracker/nodejs

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:0321

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.2

Trust: 0.1

url:https://ubuntu.com/security/notices/usn-6491-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/nodejs/10.19.0~dfsg-3ubuntu1.3

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22960

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-30587

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-32006

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22931

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32222

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22939

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-32558

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-30588

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3672

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-35949

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22959

Trust: 0.1

url:https://security.gentoo.org/glsa/202405-29

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22918

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-32004

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-30584

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-7774

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-30589

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-32003

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22883

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0778

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22884

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-35948

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-32002

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-30582

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-3602

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-3786

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-30590

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-30586

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22940

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-32005

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-32559

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22930

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-39135

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-39134

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-30581

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-37712

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-30583

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-37701

Trust: 0.1

sources: VULMON: CVE-2022-35256 // JVNDB: JVNDB-2022-022575 // PACKETSTORM: 169408 // PACKETSTORM: 169437 // PACKETSTORM: 171839 // PACKETSTORM: 171666 // PACKETSTORM: 169781 // PACKETSTORM: 170727 // PACKETSTORM: 170658 // PACKETSTORM: 175817 // PACKETSTORM: 178512 // CNNVD: CNNVD-202210-1266 // NVD: CVE-2022-35256

CREDITS

Red Hat

Trust: 0.6

sources: PACKETSTORM: 169408 // PACKETSTORM: 169437 // PACKETSTORM: 171839 // PACKETSTORM: 171666 // PACKETSTORM: 169781 // PACKETSTORM: 170658

SOURCES

db:VULMONid:CVE-2022-35256
db:JVNDBid:JVNDB-2022-022575
db:PACKETSTORMid:169408
db:PACKETSTORMid:169437
db:PACKETSTORMid:171839
db:PACKETSTORMid:171666
db:PACKETSTORMid:169781
db:PACKETSTORMid:170727
db:PACKETSTORMid:170658
db:PACKETSTORMid:175817
db:PACKETSTORMid:178512
db:CNNVDid:CNNVD-202210-1266
db:NVDid:CVE-2022-35256

LAST UPDATE DATE

2024-11-07T19:33:15.945000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2022-022575date:2023-11-17T08:21:00
db:CNNVDid:CNNVD-202210-1266date:2023-04-04T00:00:00
db:NVDid:CVE-2022-35256date:2023-05-12T13:30:33.190

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2022-022575date:2023-11-17T00:00:00
db:PACKETSTORMid:169408date:2022-10-18T22:30:35
db:PACKETSTORMid:169437date:2022-10-20T14:20:24
db:PACKETSTORMid:171839date:2023-04-12T16:57:08
db:PACKETSTORMid:171666date:2023-04-03T17:32:27
db:PACKETSTORMid:169781date:2022-11-08T13:50:47
db:PACKETSTORMid:170727date:2023-01-25T16:09:12
db:PACKETSTORMid:170658date:2023-01-24T16:29:02
db:PACKETSTORMid:175817date:2023-11-21T16:00:44
db:PACKETSTORMid:178512date:2024-05-09T15:46:44
db:CNNVDid:CNNVD-202210-1266date:2022-10-18T00:00:00
db:NVDid:CVE-2022-35256date:2022-12-05T22:15:10.570