How severe is CVE-2020-8201?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.4 out of 10.

What type of vulnerability is CVE-2020-8201?

This is classified as CWE-444, which is a common weakness in software security.

CVE-2020-8201 - HIGH Severity | CVSS 7.4

Q: What is CVE-2020-8201?

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Vulnerability Description

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Related Vulnerabilities

CVE-2017-15643

HIGH

CVSS:7.4(High)

An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum a...

CWE-4442017

CVE-2023-4639

HIGH

CVSS:7.4(High)

A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltra...

CWE-4442023

CVE-2024-12397

HIGH

CVSS:7.4(High)

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfi...

CWE-4442024

CVE-2017-12165

HIGH

CVSS:7.5(High)

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

CWE-4442017

CVE-2017-7656

HIGH

CVSS:7.5(High)

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line ...

CWE-4442017

CVE-2019-1020012

HIGH

CVSS:7.5(High)

parse-server before 3.4.1 allows DoS after any POST to a volatile class.

CWE-4442019