CVE-2019-15606 — CRITICAL (9.8)

Q: What is CVE-2019-15606?

CVE-2019-15606 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

Q: How severe is CVE-2019-15606?

CVE-2019-15606 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-15606?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Graalvm, Debian Debian Linux, Redhat Enterprise Linux.

Vulnerability Description

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Nodejs	Node.Js	>= 10.0.0, < 10.19.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.4.0
Oracle	Graalvm	19.3.1
Debian	Debian Linux	10.0
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux Eus	8.1
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-20

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.htmlMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2020:0573Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0579Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0597Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0598Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0602Third Party Advisory
https://hackerone.com/reports/730779ExploitThird Party Advisory
https://nodejs.org/en/blog/release/v10.19.0/Release NotesVendor Advisory
https://nodejs.org/en/blog/release/v12.15.0/Release NotesVendor Advisory
https://nodejs.org/en/blog/release/v13.8.0/Vendor Advisory
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/Vendor Advisory
https://security.gentoo.org/glsa/202003-48Third Party Advisory
https://security.netapp.com/advisory/ntap-20200221-0004/Third Party Advisory
https://www.debian.org/security/2020/dsa-4669Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory

FAQ

What is CVE-2019-15606?

CVE-2019-15606 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

How severe is CVE-2019-15606?

CVE-2019-15606 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-15606?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Graalvm, Debian Debian Linux, Redhat Enterprise Linux.