CVE-2021-22960

The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

References

Affected packages

Git / github.com/graalvm/graalvm-ce-builds

Affected ranges

Type

GIT

Repo

https://github.com/graalvm/graalvm-ce-builds

Events

Introduced

Last affected

9e3645fe9e0c84e1350c4b88cfb9fdf432c97fce

Introduced

Last affected

2b9eb103d1668cf5eac22fe85bdad7513681d9e3

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "20.3.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "21.3.0"
        }
    ]
}

Type

GIT

Repo

https://github.com/nodejs/llhttp

Events

Introduced

Fixed

d6ea943d8d1c5092f4bf6e10a6a32cfb2dbeaae3

Introduced

c6a35cccf5c8b36f82036c23cf9c50a7dc2dbd0a

Fixed

69d6db2008508489d19267a0dcab30602b16fc5b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.4"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "6.0.6"
        }
    ]
}

Affected versions

v3.*

v3.0.0

v4.*

v4.0.0

v5.*

v5.0.0

v5.1.0

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

vm-19.*

vm-19.3.2

vm-19.3.2-pre

vm-19.3.3

vm-19.3.4

vm-19.3.5

vm-19.3.6

vm-20.*

vm-20.0.1

vm-20.1.0

vm-20.2.0

vm-20.3.0

vm-20.3.1

vm-20.3.1.2

vm-20.3.2

vm-20.3.3

vm-20.3.4

vm-21.*

vm-21.0.0

vm-21.0.0.2

vm-21.1.0

vm-21.2.0

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22960.json"