{
  "threat_severity" : "Moderate",
  "public_date" : "2022-07-08T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding",
    "id" : "2105430",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2105430"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-444",
  "details" : [ "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).", "A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling (HRS), causing web cache poisoning, and conducting XSS attacks." ],
  "acknowledgement" : "Upstream acknowledges Zeyu Zhang as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-09-13T00:00:00Z",
    "advisory" : "RHSA-2022:6448",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:14-8060020220804102127.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-09-13T00:00:00Z",
    "advisory" : "RHSA-2022:6449",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:16-8060020220805104227.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support",
    "release_date" : "2022-10-18T00:00:00Z",
    "advisory" : "RHSA-2022:6985",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.4",
    "package" : "nodejs:14-8040020220804130254.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-09-20T00:00:00Z",
    "advisory" : "RHSA-2022:6595",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs-1:16.16.0-1.el9_0"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2022-09-08T00:00:00Z",
    "advisory" : "RHSA-2022:6389",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs14-nodejs-0:14.20.0-2.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:18/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-32213\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-32213\nhttps://nodejs.org/en/blog/vulnerability/july-2022-security-releases/" ],
  "name" : "CVE-2022-32213",
  "csaw" : false
}