Closed lostunicorn closed 1 year ago
Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.
This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.
While it is true that the vulnerability was fixed for some NodeJS versions, applications using express in conjunction with NodeJS runtime versions less than 0.9.4 remain vulnerable, therefore, sonatype-2012-0022 remains.
Our commercial products provide additional information that explains this edge case to the users, however OSS Index does not have access to that additional research. This definitely leads to confusion; luckily this is a bit of an edge case so will not happen too often.
I am opening a story in our internal system to look into making this information available in OSS Index.
+1 for Sonartype not reporting this issue anymore. This report is shown for every nodejs app using current versions of express (>24mio downloads/week as per npmjs.org)
Using a Nodejs runtime that old is a big security vulnerability in itself and noone should use such old version anymore. Even (extremly conservative) Debian ships newer versions for old-old-stable and newer...
Nodejs 0.10 was end-of-life in 2016 (https://github.com/nodejs/Release/#end-of-life-releases) - that is a lot of time to upgrade your runtime.
Vulnerability URL
Component URL
Description This issue deals with CRLF characters in HTTP headers (specifically for HTTP redirects).
The express package maintainers considered the issue closed, as the invalid characters are handled by node more generically. I've checked node's handling of invalid characters in http headers and it looks like all relevant versions (I checked node versions 0.10.x, 8x, 10.x, 12.x, 14,x and 16.x) don't allow invalid characters in header names or header values.
As such, I think this vulnerability can be discarded?