CVE-2016-2086

Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177673.html
http://www.securityfocus.com/bid/83282
https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/	Patch Vendor Advisory
https://security.gentoo.org/glsa/201612-43

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nodejs:node.js:0.10.0:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.1:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.2:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.3:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.4:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.5:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.6:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.7:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.8:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.9:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.10:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.11:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.12:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.13:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.14:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.15:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.16:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.17:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.18:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.19:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.20:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.21:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.22:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.23:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.24:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.25:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.26:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.27:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.28:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.29:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.30:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.31:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.32:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.33:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.34:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.35:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.36:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.37:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.38:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.39:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.40:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.41:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.0:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.1:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.2:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.3:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.4:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.5:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.6:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.7:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.8:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.9:::::::*
	cpe:2.3:a:nodejs:node.js:4.0.0:::::::*
	cpe:2.3:a:nodejs:node.js:4.1.0:::::::*
	cpe:2.3:a:nodejs:node.js:4.1.1:::::::*
	cpe:2.3:a:nodejs:node.js:4.1.2:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.0:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.1:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.2:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.3:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.4:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.5:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.6:::::::*
cpe:2.3:a:nodejs:node.js:5.0.0:::::::*
cpe:2.3:a:nodejs:node.js:5.1.0:::::::*
cpe:2.3:a:nodejs:node.js:5.1.1:::::::*
cpe:2.3:a:nodejs:node.js:5.2.0:::::::*
cpe:2.3:a:nodejs:node.js:5.3.0:::::::*
cpe:2.3:a:nodejs:node.js:5.4.0:::::::*
cpe:2.3:a:nodejs:node.js:5.4.1:::::::*
cpe:2.3:a:nodejs:node.js:5.5.0:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:22:::::::*
	cpe:2.3:o:fedoraproject:fedora:23:::::::*

History

No history.

Information

Published : 2016-04-07 21:59

Updated : 2024-02-04 18:53

NVD link : CVE-2016-2086

Mitre link : CVE-2016-2086

CVE.ORG link : CVE-2016-2086

JSON object : View

Products Affected

nodejs

node.js

fedoraproject

fedora

CWE

CWE-20

Improper Input Validation

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2016-2086

7.5^/10

5.0^/10

Attach tags to `CVE-2016-2086`