CVE-2019-15605 : HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delive

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Published 2020-02-07 15:15:11

Updated 2024-03-07 21:24:41

Source HackerOne

View at NVD, CVE.org

Products affected by CVE-2019-15605

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.7
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.1
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.2
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.4
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.6
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.7
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 8.2
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 8.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 8.6
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
Matching versions
Redhat » Software Collections » Version: 1.0
cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.7
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.2
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.4
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.6
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
Matching versions
Oracle » Graalvm » Version: 19.3.1 Enterprise Edition
cpe:2.3:a:oracle:graalvm:19.3.1:*:*:*:enterprise:*:*:*
Matching versions
Oracle » Graalvm » Version: 20.0.0 Enterprise Edition
cpe:2.3:a:oracle:graalvm:20.0.0:*:*:*:enterprise:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 30
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 12.0.0 and before (<) 12.15.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 13.0.0 and before (<) 13.8.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 10.0.0 and before (<) 10.19.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions

Threat overview for CVE-2019-15605

Top countries where our scanners detected CVE-2019-15605

Top open port discovered on systems with this issue 53

IPs affected by CVE-2019-15605 50,177

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-15605!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-15605

EPSS FAQ

42.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 97 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-15605

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-15605

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)

References for CVE-2019-15605

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/

[SECURITY] Fedora 30 Update: nghttp2-1.40.0-1.fc30 - package-announce - Fedora Mailing-Lists
https://www.debian.org/security/2020/dsa-4669

Debian -- Security Information -- DSA-4669-1 nodejs
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2020.html

Oracle Critical Patch Update Advisory - April 2020
Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0708

RHSA-2020:0708 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20200221-0004/

February 2020 Node.js Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

February 2020 Security Releases | Node.js
Vendor Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/

[SECURITY] Fedora 31 Update: libuv-1.34.2-1.fc31 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0707

RHSA-2020:0707 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html

[security-announce] openSUSE-SU-2020:0293-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0598

RHSA-2020:0598 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0703

RHSA-2020:0703 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/

[SECURITY] Fedora 30 Update: nghttp2-1.40.0-1.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://nodejs.org/en/blog/release/v12.15.0/

Node v12.15.0 (LTS) | Node.js
Release Notes;Vendor Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0602

RHSA-2020:0602 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://nodejs.org/en/blog/release/v13.8.0/

Node v13.8.0 (Current) | Node.js
Vendor Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/

[SECURITY] Fedora 31 Update: libuv-1.34.2-1.fc31 - package-announce - Fedora Mailing-Lists
https://access.redhat.com/errata/RHSA-2020:0579

RHSA-2020:0579 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0573

RHSA-2020:0573 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://hackerone.com/reports/735748

Sign in
Permissions Required;Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0597

RHSA-2020:0597 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202003-48

Node.js: Multiple vulnerabilities (GLSA 202003-48) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://nodejs.org/en/blog/release/v10.19.0/

Node v10.19.0 (LTS) | Node.js
Release Notes;Vendor Advisory

CVEs referencing this url