Rewterz

Rewterz Threat Advisory – Multiple SAP BusinessObjects, NetWeaver Application and SuccessFactors Vulnerabilities

October 13, 2021
Rewterz

Rewterz Threat Advisory – Multiple Juniper Networks Junos OS and CTPView

October 14, 2021

Rewterz Threat Advisory – Multiple Node.js Body and header Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2021-22960 

Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests. A remote attacker could send a specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

CVE-2021-22959 

Node.js is vulnerable to HTTP request smuggling, caused by an error related to space in headers. A remote attacker could send a specially-crafted request with a space (SP) right after the header name before the colon to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Impact

  • Security Bypass

Affected Vendors

Node.js

Affected Products

  • Node.js Node.js 12
  • Node.js Node.js 14.0
  • Node.js Node.js 16.0

Remediation

Upgrade to the latest version of Node.js, available from the Node.js Web site.

https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.