CVE-2019-15604 — HIGH (7.5)

Q: What is CVE-2019-15604?

CVE-2019-15604 is a vulnerability with a CVSS score of 7.5 (HIGH). Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

Q: How severe is CVE-2019-15604?

CVE-2019-15604 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-15604?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Debian Debian Linux, Opensuse Leap, Redhat Software Collections, Redhat Enterprise Linux.

Vulnerability Description

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Nodejs	Node.Js	>= 10.0.0, < 10.19.0
Debian	Debian Linux	10.0
Opensuse	Leap	15.1
Redhat	Software Collections	1.0
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux Eus	8.1
Redhat	Enterprise Linux Server Aus	8.2
Redhat	Enterprise Linux Server Tus	8.2
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.4.0
Oracle	Graalvm	19.3.1

Related Weaknesses (CWE)

CWE-295

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.htmlMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2020:0573Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0579Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0597Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0598Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0602Third Party Advisory
https://hackerone.com/reports/746733ExploitThird Party Advisory
https://nodejs.org/en/blog/release/v10.19.0/Release NotesVendor Advisory
https://nodejs.org/en/blog/release/v12.15.0/Release NotesVendor Advisory
https://nodejs.org/en/blog/release/v13.8.0/Vendor Advisory
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/Vendor Advisory
https://security.gentoo.org/glsa/202003-48Third Party Advisory
https://security.netapp.com/advisory/ntap-20200221-0004/Third Party Advisory
https://www.debian.org/security/2020/dsa-4669Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory

FAQ

What is CVE-2019-15604?

CVE-2019-15604 is a vulnerability with a CVSS score of 7.5 (HIGH). Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

How severe is CVE-2019-15604?

CVE-2019-15604 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-15604?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Debian Debian Linux, Opensuse Leap, Redhat Software Collections, Redhat Enterprise Linux.