Vulnerability Details : CVE-2019-15606
Potential exploit
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
Vulnerability category: Input validation
Products affected by CVE-2019-15606
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:graalvm:19.3.1:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oracle:graalvm:20.0.0:*:*:*:enterprise:*:*:*
- Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.4.0cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-15606
1.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-15606
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-15606
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: support@hackerone.com (Secondary)
References for CVE-2019-15606
-
https://www.debian.org/security/2020/dsa-4669
Debian -- Security Information -- DSA-4669-1 nodejsThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Third Party Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20200221-0004/
February 2020 Node.js Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
February 2020 Security Releases | Node.jsVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
[security-announce] openSUSE-SU-2020:0293-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0598
RHSA-2020:0598 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://nodejs.org/en/blog/release/v12.15.0/
Node v12.15.0 (LTS) | Node.jsRelease Notes;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2020:0602
RHSA-2020:0602 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://nodejs.org/en/blog/release/v13.8.0/
Node v13.8.0 (Current) | Node.jsVendor Advisory
-
https://hackerone.com/reports/730779
HackerOneExploit;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0579
RHSA-2020:0579 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0573
RHSA-2020:0573 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0597
RHSA-2020:0597 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/202003-48
Node.js: Multiple vulnerabilities (GLSA 202003-48) — Gentoo securityThird Party Advisory
-
https://nodejs.org/en/blog/release/v10.19.0/
Node v10.19.0 (LTS) | Node.jsRelease Notes;Vendor Advisory
Jump to