CVE-2019-15606
published 2020-02-07CVE-2019-15606: Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | nodejs | < nodejs 10.19.0~dfsg-1 (bookworm) | nodejs 10.19.0~dfsg-1 (bookworm) |
| nodejs | node | >= 10.0 < 10.19.0 | 10.19.0 |
| nodejs | node | >= 11.0 < 11.* | 11.* |
| nodejs | node | >= 12.0 < 12.15.0 | 12.15.0 |
| nodejs | node | >= 13.0 < 13.8.0 | 13.8.0 |
| nodejs | node | >= 4.0 < 4.* | 4.* |
| nodejs | node | >= 5.0 < 5.* | 5.* |
| nodejs | node | >= 6.0 < 6.* | 6.* |
| nodejs | node | >= 7.0 < 7.* | 7.* |
| nodejs | node | >= 8.0 < 8.* | 8.* |
| nodejs | node | >= 9.0 < 9.* | 9.* |
| nodejs | node.js | >= 10.0.0 < 10.19.0 | 10.19.0 |
| nodejs | node.js | >= 12.0.0 < 12.15.0 | 12.15.0 |
| nodejs | node.js | >= 13.0.0 < 13.8.0 | 13.8.0 |
| nodejs | nodejs | >= 0 < 10.19.0~dfsg-1 | 10.19.0~dfsg-1 |
| nodejs | nodejs | >= 0 < 10.19.0~dfsg-1 | 10.19.0~dfsg-1 |
| nodejs | nodejs | >= 0 < 10.19.0~dfsg-1 | 10.19.0~dfsg-1 |
| nodejs | nodejs | >= 0 < 10.19.0~dfsg-1 | 10.19.0~dfsg-1 |
| nodejs | nodejs | >= 0 < 10.19.0~dfsg-3ubuntu1.1 | 10.19.0~dfsg-3ubuntu1.1 |
| nodejs | nodejs | >= 0 < 4.2.6~dfsg-1ubuntu4.2+esm2 | 4.2.6~dfsg-1ubuntu4.2+esm2 |
| nodejs | nodejs | >= 0 < 8.10.0~dfsg-2ubuntu0.4+esm2 | 8.10.0~dfsg-2ubuntu0.4+esm2 |
| opensuse | leap | — | — |
| oracle | communications_cloud_native_core_network_function_cloud_native_environment | — | — |
| oracle | graalvm | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL