CVE-2022-31150 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-31150 Interim 1 17 2023-09-08T23:28:53Z current 2022-07-21T00:24:26Z 2023-09-08T23:28:53Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-31150 undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2022-September/012217.html E-Mail link for SUSE-CU-2022:2199-1 https://lists.suse.com/pipermail/sle-security-updates/2022-September/012190.html E-Mail link for SUSE-SU-2022:3196-1 https://lists.suse.com/pipermail/sle-security-updates/2022-September/012208.html E-Mail link for SUSE-SU-2022:3250-1 https://lists.suse.com/pipermail/sle-updates/2022-September/025091.html E-Mail link for SUSE-SU-2022:3251-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container bci/nodejs:16-7.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Server 15 SP4-TERADATA SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Tumbleweed corepack16-16.17.0-150400.3.6.1 corepack16-16.17.0-2.1 nodejs16-16.17.0-150300.7.9.1 nodejs16-16.17.0-150400.3.6.1 nodejs16-16.17.0-2.1 nodejs16-16.17.0-8.9.1 nodejs16-devel-16.17.0-150300.7.9.1 nodejs16-devel-16.17.0-150400.3.6.1 nodejs16-devel-16.17.0-2.1 nodejs16-devel-16.17.0-8.9.1 nodejs16-docs-16.17.0-150300.7.9.1 nodejs16-docs-16.17.0-150400.3.6.1 nodejs16-docs-16.17.0-2.1 nodejs16-docs-16.17.0-8.9.1 npm16-16.17.0-150300.7.9.1 npm16-16.17.0-150400.3.6.1 npm16-16.17.0-2.1 npm16-16.17.0-8.9.1 nodejs16-16.17.0-150400.3.6.1 as a component of Container bci/nodejs:16-7.1 npm16-16.17.0-150400.3.6.1 as a component of Container bci/nodejs:16-7.1 nodejs16-16.17.0-8.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs16-devel-16.17.0-8.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs16-docs-16.17.0-8.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 npm16-16.17.0-8.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs16-16.17.0-150300.7.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 nodejs16-devel-16.17.0-150300.7.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 nodejs16-docs-16.17.0-150300.7.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 npm16-16.17.0-150300.7.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 nodejs16-16.17.0-150400.3.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs16-devel-16.17.0-150400.3.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs16-docs-16.17.0-150400.3.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 npm16-16.17.0-150400.3.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs16-16.17.0-150400.3.6.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA nodejs16-devel-16.17.0-150400.3.6.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA nodejs16-docs-16.17.0-150400.3.6.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA npm16-16.17.0-150400.3.6.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA nodejs16-16.17.0-150300.7.9.1 as a component of openSUSE Leap 15.3 nodejs16-devel-16.17.0-150300.7.9.1 as a component of openSUSE Leap 15.3 nodejs16-docs-16.17.0-150300.7.9.1 as a component of openSUSE Leap 15.3 npm16-16.17.0-150300.7.9.1 as a component of openSUSE Leap 15.3 corepack16-16.17.0-150400.3.6.1 as a component of openSUSE Leap 15.4 nodejs16-16.17.0-150400.3.6.1 as a component of openSUSE Leap 15.4 nodejs16-devel-16.17.0-150400.3.6.1 as a component of openSUSE Leap 15.4 nodejs16-docs-16.17.0-150400.3.6.1 as a component of openSUSE Leap 15.4 npm16-16.17.0-150400.3.6.1 as a component of openSUSE Leap 15.4 corepack16-16.17.0-2.1 as a component of openSUSE Tumbleweed nodejs16-16.17.0-2.1 as a component of openSUSE Tumbleweed nodejs16-devel-16.17.0-2.1 as a component of openSUSE Tumbleweed nodejs16-docs-16.17.0-2.1 as a component of openSUSE Tumbleweed npm16-16.17.0-2.1 as a component of openSUSE Tumbleweed undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue. CVE-2022-31150 Container bci/nodejs:16-7.1:nodejs16-16.17.0-150400.3.6.1 Container bci/nodejs:16-7.1:npm16-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:corepack16-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:nodejs16-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:nodejs16-devel-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:nodejs16-docs-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:npm16-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-16.17.0-8.9.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-devel-16.17.0-8.9.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-docs-16.17.0-8.9.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm16-16.17.0-8.9.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-16.17.0-150300.7.9.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-devel-16.17.0-150300.7.9.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-docs-16.17.0-150300.7.9.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:npm16-16.17.0-150300.7.9.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-devel-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-docs-16.17.0-150400.3.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:npm16-16.17.0-150400.3.6.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:nodejs16-16.17.0-150400.3.6.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:nodejs16-devel-16.17.0-150400.3.6.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:nodejs16-docs-16.17.0-150400.3.6.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:npm16-16.17.0-150400.3.6.1 openSUSE Leap 15.3:nodejs16-16.17.0-150300.7.9.1 openSUSE Leap 15.3:nodejs16-devel-16.17.0-150300.7.9.1 openSUSE Leap 15.3:nodejs16-docs-16.17.0-150300.7.9.1 openSUSE Leap 15.3:npm16-16.17.0-150300.7.9.1 openSUSE Leap 15.4:corepack16-16.17.0-150400.3.6.1 openSUSE Leap 15.4:nodejs16-16.17.0-150400.3.6.1 openSUSE Leap 15.4:nodejs16-devel-16.17.0-150400.3.6.1 openSUSE Leap 15.4:nodejs16-docs-16.17.0-150400.3.6.1 openSUSE Leap 15.4:npm16-16.17.0-150400.3.6.1 openSUSE Tumbleweed:corepack16-16.17.0-2.1 openSUSE Tumbleweed:nodejs16-16.17.0-2.1 openSUSE Tumbleweed:nodejs16-devel-16.17.0-2.1 openSUSE Tumbleweed:nodejs16-docs-16.17.0-2.1 openSUSE Tumbleweed:npm16-16.17.0-2.1 moderate 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N