CVE-2012-2330

Node.js <0.6.17 & <0.7.8 - Info Disclosure

Title source: llm

Description

The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string.

References (7)

[Various Sources] http://blog.nodejs.org/2012/05/04/version-0-6-17-stable/

[Vendor Advisory] http://secunia.com/advisories/49066

[Exploit, Patch] https://github.com/joyent/node/commit/7b3fb22

[Exploit, Patch] https://github.com/joyent/node/commit/c9a231d

[Vendor Advisory] https://support.f5.com/csp/article/K99038439?utm_source=f5support&amp%3Butm_medium=RSS

[Mailing List] http://www.openwall.com/lists/oss-security/2012/05/08/4

[Mailing List] http://www.openwall.com/lists/oss-security/2012/05/08/8

Scores

EPSS 0.0062

EPSS Percentile 69.7%

Classification

CWE

CWE-20

Status draft

Affected Products (9)

nodejs/nodejs < 0.6.16

nodejs/nodejs

nodejs/nodejs

nodejs/nodejs

nodejs/nodejs

nodejs/nodejs

nodejs/nodejs

nodejs/nodejs

nodejs/nodejs

Timeline

Published Aug 13, 2012

Tracked Since Feb 18, 2026