Search for vulnerabilities
Vulnerability details: VCID-eqfm-yp6y-aaab
Vulnerability ID VCID-eqfm-yp6y-aaab
Aliases CVE-2022-32215
Summary The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Status Published
Exploitability 2.0
Weighted Severity 7.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32215.json
epss 0.00520 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00520 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00520 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00520 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.00952 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.77974 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.77974 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.77974 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.7868 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.7868 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.87807 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.87988 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88489 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88604 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88604 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.88604 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.89572 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.89572 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.89572 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.89572 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.89572 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.89572 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.89572 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
epss 0.89572 https://api.first.org/data/v1/epss?cve=CVE-2022-32215
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=2105426
cvssv3.1 9.1 https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
generic_textual CRITICAL https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
cvssv3.1 6.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 6.5 https://nvd.nist.gov/vuln/detail/CVE-2022-32215
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2022-32215
cvssv3.1 9.1 https://www.debian.org/security/2023/dsa-5326
generic_textual CRITICAL https://www.debian.org/security/2023/dsa-5326
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32215.json
https://api.first.org/data/v1/epss?cve=CVE-2022-32215
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35255
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/1501679
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
https://www.debian.org/security/2023/dsa-5326
2105426 https://bugzilla.redhat.com/show_bug.cgi?id=2105426
977716 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977716
cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:*:*:*
cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*
cpe:2.3:a:stormshield:stormshield_management_center:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:stormshield:stormshield_management_center:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
CVE-2022-32215 https://nvd.nist.gov/vuln/detail/CVE-2022-32215
GLSA-202405-29 https://security.gentoo.org/glsa/202405-29
RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389
RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448
RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449
RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595
RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985
USN-6491-1 https://usn.ubuntu.com/6491-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32215.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-32215
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-32215
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.debian.org/security/2023/dsa-5326
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.76668
EPSS Score 0.00520
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.