CVE-2023-23936

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-23936

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23936.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-23936

Aliases

Related

Published

2023-02-16T18:15:10Z

Modified

2024-09-18T03:25:19.877529Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to undici.

References

Affected packages

Alpine:v3.15 / nodejs

Package

Name: nodejs
Purl: pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.19.1-r0

Affected versions

4.*

4.4.3-r0

4.4.4-r0

4.4.5-r0

4.4.7-r0

4.5.0-r0

6.*

6.9.1-r0

6.9.1-r1

6.9.2-r0

6.9.4-r0

6.9.4-r1

6.9.5-r0

6.9.5-r1

6.10.0-r0

6.10.1-r0

6.10.3-r0

6.11.0-r0

6.11.1-r0

6.11.1-r1

6.11.1-r2

6.11.2-r0

6.11.3-r0

6.11.4-r0

6.11.5-r0

8.*

8.9.0-r0

8.9.1-r0

8.9.2-r0

8.9.3-r0

8.9.3-r1

8.9.4-r0

8.10.0-r0

8.11.0-r0

8.11.0-r1

8.11.1-r0

8.11.1-r1

8.11.1-r2

8.11.2-r0

8.11.3-r0

8.11.3-r1

8.11.3-r2

8.11.3-r3

8.11.4-r0

8.12.0-r0

10.*

10.13.0-r0

10.14.0-r0

10.14.1-r0

10.14.2-r0

10.15.1-r0

10.15.3-r0

10.16.0-r0

10.16.1-r0

10.16.2-r0

10.16.3-r0

12.*

12.13.0-r0

12.13.0-r1

12.13.1-r0

12.14.0-r0

12.14.1-r0

12.15.0-r0

12.15.0-r1

12.15.0-r2

12.16.2-r0

12.16.3-r0

12.16.3-r1

12.17.0-r0

12.18.0-r0

12.18.0-r1

12.18.0-r2

12.18.2-r0

12.18.3-r0

12.18.4-r0

12.19.0-r0

14.*

14.15.1-r0

14.15.3-r0

14.15.3-r1

14.15.3-r2

14.15.4-r0

14.15.5-r0

14.16.0-r0

14.16.0-r1

14.16.1-r0

14.16.1-r1

14.16.1-r2

14.17.0-r0

14.17.1-r0

14.17.2-r0

14.17.3-r0

14.17.4-r0

14.17.5-r0

14.17.6-r0

14.17.6-r1

14.18.0-r0

14.18.1-r0

14.18.1-r1

16.*

16.13.0-r0

16.13.1-r0

16.13.2-r0

16.14.0-r0

16.14.2-r0

16.16.0-r0

16.17.1-r0

Alpine:v3.16 / nodejs

Package

Name: nodejs
Purl: pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.19.1-r0

Affected versions

4.*

4.4.3-r0

4.4.4-r0

4.4.5-r0

4.4.7-r0

4.5.0-r0

6.*

6.9.1-r0

6.9.1-r1

6.9.2-r0

6.9.4-r0

6.9.4-r1

6.9.5-r0

6.9.5-r1

6.10.0-r0

6.10.1-r0

6.10.3-r0

6.11.0-r0

6.11.1-r0

6.11.1-r1

6.11.1-r2

6.11.2-r0

6.11.3-r0

6.11.4-r0

6.11.5-r0

8.*

8.9.0-r0

8.9.1-r0

8.9.2-r0

8.9.3-r0

8.9.3-r1

8.9.4-r0

8.10.0-r0

8.11.0-r0

8.11.0-r1

8.11.1-r0

8.11.1-r1

8.11.1-r2

8.11.2-r0

8.11.3-r0

8.11.3-r1

8.11.3-r2

8.11.3-r3

8.11.4-r0

8.12.0-r0

10.*

10.13.0-r0

10.14.0-r0

10.14.1-r0

10.14.2-r0

10.15.1-r0

10.15.3-r0

10.16.0-r0

10.16.1-r0

10.16.2-r0

10.16.3-r0

12.*

12.13.0-r0

12.13.0-r1

12.13.1-r0

12.14.0-r0

12.14.1-r0

12.15.0-r0

12.15.0-r1

12.15.0-r2

12.16.2-r0

12.16.3-r0

12.16.3-r1

12.17.0-r0

12.18.0-r0

12.18.0-r1

12.18.0-r2

12.18.2-r0

12.18.3-r0

12.18.4-r0

12.19.0-r0

14.*

14.15.1-r0

14.15.3-r0

14.15.3-r1

14.15.3-r2

14.15.4-r0

14.15.5-r0

14.16.0-r0

14.16.0-r1

14.16.1-r0

14.16.1-r1

14.16.1-r2

14.17.0-r0

14.17.1-r0

14.17.2-r0

14.17.3-r0

14.17.4-r0

14.17.5-r0

14.17.6-r0

14.17.6-r1

14.18.0-r0

14.18.1-r0

14.18.1-r1

16.*

16.13.0-r0

16.13.1-r0

16.13.1-r1

16.13.2-r0

16.13.2-r1

16.14.2-r0

16.14.2-r1

16.15.0-r0

16.15.0-r1

16.16.0-r0

16.17.1-r0

Alpine:v3.17 / nodejs

Package

Name: nodejs
Purl: pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.14.1-r0

Affected versions

4.*

4.4.3-r0

4.4.4-r0

4.4.5-r0

4.4.7-r0

4.5.0-r0

6.*

6.9.1-r0

6.9.1-r1

6.9.2-r0

6.9.4-r0

6.9.4-r1

6.9.5-r0

6.9.5-r1

6.10.0-r0

6.10.1-r0

6.10.3-r0

6.11.0-r0

6.11.1-r0

6.11.1-r1

6.11.1-r2

6.11.2-r0

6.11.3-r0

6.11.4-r0

6.11.5-r0

8.*

8.9.0-r0

8.9.1-r0

8.9.2-r0

8.9.3-r0

8.9.3-r1

8.9.4-r0

8.10.0-r0

8.11.0-r0

8.11.0-r1

8.11.1-r0

8.11.1-r1

8.11.1-r2

8.11.2-r0

8.11.3-r0

8.11.3-r1

8.11.3-r2

8.11.3-r3

8.11.4-r0

8.12.0-r0

10.*

10.13.0-r0

10.14.0-r0

10.14.1-r0

10.14.2-r0

10.15.1-r0

10.15.3-r0

10.16.0-r0

10.16.1-r0

10.16.2-r0

10.16.3-r0

12.*

12.13.0-r0

12.13.0-r1

12.13.1-r0

12.14.0-r0

12.14.1-r0

12.15.0-r0

12.15.0-r1

12.15.0-r2

12.16.2-r0

12.16.3-r0

12.16.3-r1

12.17.0-r0

12.18.0-r0

12.18.0-r1

12.18.0-r2

12.18.2-r0

12.18.3-r0

12.18.4-r0

12.19.0-r0

14.*

14.15.1-r0

14.15.3-r0

14.15.3-r1

14.15.3-r2

14.15.4-r0

14.15.5-r0

14.16.0-r0

14.16.0-r1

14.16.1-r0

14.16.1-r1

14.16.1-r2

14.17.0-r0

14.17.1-r0

14.17.2-r0

14.17.3-r0

14.17.4-r0

14.17.5-r0

14.17.6-r0

14.17.6-r1

14.18.0-r0

14.18.1-r0

14.18.1-r1

16.*

16.13.0-r0

16.13.1-r0

16.13.1-r1

16.13.2-r0

16.13.2-r1

16.14.2-r0

16.14.2-r1

16.15.0-r0

16.15.0-r1

16.16.0-r0

16.16.0-r1

16.17.0-r0

16.17.1-r0

16.18.0-r0

16.18.0-r1

18.*

18.12.0-r0

18.12.1-r0

Alpine:v3.18 / nodejs

Package

Name: nodejs
Purl: pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.14.1-r0

Affected versions

4.*

4.4.3-r0

4.4.4-r0

4.4.5-r0

4.4.7-r0

4.5.0-r0

6.*

6.9.1-r0

6.9.1-r1

6.9.2-r0

6.9.4-r0

6.9.4-r1

6.9.5-r0

6.9.5-r1

6.10.0-r0

6.10.1-r0

6.10.3-r0

6.11.0-r0

6.11.1-r0

6.11.1-r1

6.11.1-r2

6.11.2-r0

6.11.3-r0

6.11.4-r0

6.11.5-r0

8.*

8.9.0-r0

8.9.1-r0

8.9.2-r0

8.9.3-r0

8.9.3-r1

8.9.4-r0

8.10.0-r0

8.11.0-r0

8.11.0-r1

8.11.1-r0

8.11.1-r1

8.11.1-r2

8.11.2-r0

8.11.3-r0

8.11.3-r1

8.11.3-r2

8.11.3-r3

8.11.4-r0

8.12.0-r0

10.*

10.13.0-r0

10.14.0-r0

10.14.1-r0

10.14.2-r0

10.15.1-r0

10.15.3-r0

10.16.0-r0

10.16.1-r0

10.16.2-r0

10.16.3-r0

12.*

12.13.0-r0

12.13.0-r1

12.13.1-r0

12.14.0-r0

12.14.1-r0

12.15.0-r0

12.15.0-r1

12.15.0-r2

12.16.2-r0

12.16.3-r0

12.16.3-r1

12.17.0-r0

12.18.0-r0

12.18.0-r1

12.18.0-r2

12.18.2-r0

12.18.3-r0

12.18.4-r0

12.19.0-r0

14.*

14.15.1-r0

14.15.3-r0

14.15.3-r1

14.15.3-r2

14.15.4-r0

14.15.5-r0

14.16.0-r0

14.16.0-r1

14.16.1-r0

14.16.1-r1

14.16.1-r2

14.17.0-r0

14.17.1-r0

14.17.2-r0

14.17.3-r0

14.17.4-r0

14.17.5-r0

14.17.6-r0

14.17.6-r1

14.18.0-r0

14.18.1-r0

14.18.1-r1

16.*

16.13.0-r0

16.13.1-r0

16.13.1-r1

16.13.2-r0

16.13.2-r1

16.14.2-r0

16.14.2-r1

16.15.0-r0

16.15.0-r1

16.16.0-r0

16.16.0-r1

16.17.0-r0

16.17.1-r0

16.18.0-r0

16.18.0-r1

18.*

18.12.0-r0

18.12.1-r0

18.13.0-r0

18.14.0-r0

Alpine:v3.19 / nodejs

Package

Name: nodejs
Purl: pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.14.1-r0

Affected versions

4.*

4.4.3-r0

4.4.4-r0

4.4.5-r0

4.4.7-r0

4.5.0-r0

6.*

6.9.1-r0

6.9.1-r1

6.9.2-r0

6.9.4-r0

6.9.4-r1

6.9.5-r0

6.9.5-r1

6.10.0-r0

6.10.1-r0

6.10.3-r0

6.11.0-r0

6.11.1-r0

6.11.1-r1

6.11.1-r2

6.11.2-r0

6.11.3-r0

6.11.4-r0

6.11.5-r0

8.*

8.9.0-r0

8.9.1-r0

8.9.2-r0

8.9.3-r0

8.9.3-r1

8.9.4-r0

8.10.0-r0

8.11.0-r0

8.11.0-r1

8.11.1-r0

8.11.1-r1

8.11.1-r2

8.11.2-r0

8.11.3-r0

8.11.3-r1

8.11.3-r2

8.11.3-r3

8.11.4-r0

8.12.0-r0

10.*

10.13.0-r0

10.14.0-r0

10.14.1-r0

10.14.2-r0

10.15.1-r0

10.15.3-r0

10.16.0-r0

10.16.1-r0

10.16.2-r0

10.16.3-r0

12.*

12.13.0-r0

12.13.0-r1

12.13.1-r0

12.14.0-r0

12.14.1-r0

12.15.0-r0

12.15.0-r1

12.15.0-r2

12.16.2-r0

12.16.3-r0

12.16.3-r1

12.17.0-r0

12.18.0-r0

12.18.0-r1

12.18.0-r2

12.18.2-r0

12.18.3-r0

12.18.4-r0

12.19.0-r0

14.*

14.15.1-r0

14.15.3-r0

14.15.3-r1

14.15.3-r2

14.15.4-r0

14.15.5-r0

14.16.0-r0

14.16.0-r1

14.16.1-r0

14.16.1-r1

14.16.1-r2

14.17.0-r0

14.17.1-r0

14.17.2-r0

14.17.3-r0

14.17.4-r0

14.17.5-r0

14.17.6-r0

14.17.6-r1

14.18.0-r0

14.18.1-r0

14.18.1-r1

16.*

16.13.0-r0

16.13.1-r0

16.13.1-r1

16.13.2-r0

16.13.2-r1

16.14.2-r0

16.14.2-r1

16.15.0-r0

16.15.0-r1

16.16.0-r0

16.16.0-r1

16.17.0-r0

16.17.1-r0

16.18.0-r0

16.18.0-r1

18.*

18.12.0-r0

18.12.1-r0

18.13.0-r0

18.14.0-r0

Alpine:v3.20 / nodejs

Package

Name: nodejs
Purl: pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.14.1-r0

Affected versions

4.*

4.4.3-r0

4.4.4-r0

4.4.5-r0

4.4.7-r0

4.5.0-r0

6.*

6.9.1-r0

6.9.1-r1

6.9.2-r0

6.9.4-r0

6.9.4-r1

6.9.5-r0

6.9.5-r1

6.10.0-r0

6.10.1-r0

6.10.3-r0

6.11.0-r0

6.11.1-r0

6.11.1-r1

6.11.1-r2

6.11.2-r0

6.11.3-r0

6.11.4-r0

6.11.5-r0

8.*

8.9.0-r0

8.9.1-r0

8.9.2-r0

8.9.3-r0

8.9.3-r1

8.9.4-r0

8.10.0-r0

8.11.0-r0

8.11.0-r1

8.11.1-r0

8.11.1-r1

8.11.1-r2

8.11.2-r0

8.11.3-r0

8.11.3-r1

8.11.3-r2

8.11.3-r3

8.11.4-r0

8.12.0-r0

10.*

10.13.0-r0

10.14.0-r0

10.14.1-r0

10.14.2-r0

10.15.1-r0

10.15.3-r0

10.16.0-r0

10.16.1-r0

10.16.2-r0

10.16.3-r0

12.*

12.13.0-r0

12.13.0-r1

12.13.1-r0

12.14.0-r0

12.14.1-r0

12.15.0-r0

12.15.0-r1

12.15.0-r2

12.16.2-r0

12.16.3-r0

12.16.3-r1

12.17.0-r0

12.18.0-r0

12.18.0-r1

12.18.0-r2

12.18.2-r0

12.18.3-r0

12.18.4-r0

12.19.0-r0

14.*

14.15.1-r0

14.15.3-r0

14.15.3-r1

14.15.3-r2

14.15.4-r0

14.15.5-r0

14.16.0-r0

14.16.0-r1

14.16.1-r0

14.16.1-r1

14.16.1-r2

14.17.0-r0

14.17.1-r0

14.17.2-r0

14.17.3-r0

14.17.4-r0

14.17.5-r0

14.17.6-r0

14.17.6-r1

14.18.0-r0

14.18.1-r0

14.18.1-r1

16.*

16.13.0-r0

16.13.1-r0

16.13.1-r1

16.13.2-r0

16.13.2-r1

16.14.2-r0

16.14.2-r1

16.15.0-r0

16.15.0-r1

16.16.0-r0

16.16.0-r1

16.17.0-r0

16.17.1-r0

16.18.0-r0

16.18.0-r1

18.*

18.12.0-r0

18.12.1-r0

18.13.0-r0

18.14.0-r0

Debian:12 / node-undici

Package

Name: node-undici
Purl: pkg:deb/debian/node-undici?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1

Affected versions

5.*

5.15.0+dfsg1+~cs20.10.9.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-undici

Package

Name: node-undici
Purl: pkg:deb/debian/node-undici?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.1+dfsg1+~cs20.10.9.5-1

Affected versions

5.*

5.15.0+dfsg1+~cs20.10.9.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

cc993fb2760d01457955f5b9ff787d559ed1c34e

Fixed

a9d1e5059f9cc63cafc8e786a7b6332aa7ab3b2b

Type: GIT
Repo: https://github.com/nodejs/undici
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a2eff05401358f6595138df963837c24348f2034

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.2.5

v1.2.6

v1.3.0

v1.3.1

v19.*

v19.0.0

v19.0.1

v19.1.0

v19.2.0

v19.3.0

v19.4.0

v19.5.0

v19.6.0

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.1.0

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.3.0

v3.3.1

v4.*

v4.0.0

v4.0.0-alpha.0

v4.0.0-alpha.1

v4.0.0-alpha.2

v4.0.0-alpha.4

v4.0.0-alpha.5

v4.0.0-rc.1

v4.0.0-rc.2

v4.0.0-rc.3

v4.0.0-rc.4

v4.0.0-rc.5

v4.0.0-rc.7

v4.0.0-rc.8

v4.1.0

v4.1.1

v4.10.0

v4.10.1

v4.10.2

v4.10.3

v4.10.4

v4.11.0

v4.11.1

v4.11.2

v4.11.3

v4.12.0

v4.12.2

v4.13.0

v4.14.0

v4.14.1

v4.15.0

v4.15.1

v4.16.0

v4.2.1

v4.2.2

v4.3.0

v4.3.1

v4.4.1

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

v4.4.7

v4.5.0

v4.5.1

v4.6.0

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.8.0

v4.8.1

v4.8.2

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v4.9.4

v4.9.5

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.10.0

v5.11.0

v5.12.0

v5.13.0

v5.14.0

v5.15.0

v5.15.1

v5.15.2

v5.16.0

v5.17.0

v5.17.1

v5.18.0

v5.19.0

v5.2.0

v5.3.0

v5.4.0

v5.5.0

v5.5.1

v5.6.0

v5.6.1

v5.7.0

v5.8.0

v5.8.1

v5.8.2

v5.9.1