Bugzilla – Bug 1208413
VUL-0: CVE-2023-24807: nodejs: node-undici: ReDoS via `Headers.set()` and `Headers.append()` methods
Last modified: 2023-05-03 12:54:12 UTC
CVE-2023-24807 Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24807 https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w https://www.cve.org/CVERecord?id=CVE-2023-24807 https://github.com/nodejs/undici/releases/tag/v5.19.1 https://hackerone.com/bugs?report_id=1784449
We embed node-undici in: - SUSE:SLE-12-SP5:Update/nodejs16 node-undici (5.10.0) - SUSE:SLE-12-SP5:Update/nodejs18 node-undici (5.13.0) - SUSE:SLE-15-SP3:Update/nodejs16 node-undici (5.10.0) - SUSE:SLE-15-SP4:Update/nodejs16 node-undici (5.10.0) - SUSE:SLE-15-SP4:Update/nodejs18 node-undici (5.13.0) - openSUSE:Factory/nodejs18 node-undici (5.13.0) - openSUSE:Factory/nodejs19 node-undici (5.16.0)
This is an autogenerated message for OBS integration: This bug (1208413) was mentioned in https://build.opensuse.org/request/show/1067186 Factory / nodejs19 https://build.opensuse.org/request/show/1067187 Factory / nodejs18
SUSE-SU-2023:0609-1: An update that solves five vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1205568, 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: Web and Scripting Module 12 (src): nodejs16-16.19.1-8.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0608-1: An update that solves five vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1205568, 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: openSUSE Leap 15.4 (src): nodejs16-16.19.1-150400.3.15.1 Web and Scripting Module 15-SP4 (src): nodejs16-16.19.1-150400.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0673-1: An update that solves five vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1205568, 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Manager Server 4.2 (src): nodejs16-16.19.1-150300.7.18.1 SUSE Enterprise Storage 7.1 (src): nodejs16-16.19.1-150300.7.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0715-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: Web and Scripting Module 12 (src): nodejs18-18.14.2-8.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0738-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1208413, 1208481, 1208483, 1208485, 1208487 CVE References: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807 Sources used: openSUSE Leap 15.4 (src): nodejs18-18.14.2-150400.9.6.2 Web and Scripting Module 15-SP4 (src): nodejs18-18.14.2-150400.9.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.