CVE-2019-15606

CWE-20 — Improper Input Validation CWE-1389 documents9 sources

Severity

9.8CRITICAL

EPSS

1.3%

top 20.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js Debian Debian Linux +5 more

Timeline

PublishedFeb 7

Latest updateSep 19

Description

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5nodejs/node4.0 — 4.*+9

▶NVDnodejs/node.js10.0.0 — 10.19.0+2

▶Debiannodejs< 10.19.0~dfsg-1+3

▶NVDopensuse/leap15.1

▶NVDoracle/graalvm19.3.1, 20.0.0+1

Also affects: Debian Linux 10.0, Enterprise Linux 8.0, 8.1

🔴Vulnerability Details

GHSA

GHSA-3qv8-368w-r69p: Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons↗2022-05-24

▶

OSV

CVE-2019-15606: Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons↗2020-02-07

▶

CVEList

CVE-2019-15606: Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons↗2020-02-07

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2023-09-19

▶

Oracle

Oracle Oracle GraalVM Risk Matrix: JavaScript (Node.js) — CVE-2019-15606↗2020-04-15

▶

Red Hat

nodejs: HTTP header values do not have trailing optional whitespace trimmed↗2020-02-07

▶

Debian

CVE-2019-15606: nodejs - Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 ca...↗2019

▶

💬Community

Bugzilla

CVE-2019-15606 nodejs: HTTP header values do not have trailing optional whitespace trimmed↗2020-02-07

▶