First published: Fri Feb 07 2020(Updated: )
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-nodejs10-nodejs | <0:10.19.0-1.el7 | 0:10.19.0-1.el7 |
redhat/rh-nodejs12-nodejs | <0:12.16.1-1.el7 | 0:12.16.1-1.el7 |
Nodejs Node.js | >=10.0.0<10.19.0 | |
Nodejs Node.js | >=12.0.0<12.15.0 | |
Nodejs Node.js | >=13.0.0<13.8.0 | |
Debian Debian Linux | =10.0 | |
openSUSE Leap | =15.1 | |
Redhat Software Collections | =1.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Eus | =8.1 | |
Redhat Enterprise Linux Eus | =8.2 | |
Redhat Enterprise Linux Eus | =8.4 | |
Redhat Enterprise Linux Eus | =8.6 | |
Redhat Enterprise Linux Server Aus | =8.2 | |
Redhat Enterprise Linux Server Aus | =8.4 | |
Redhat Enterprise Linux Server Aus | =8.6 | |
Redhat Enterprise Linux Server Tus | =8.2 | |
Redhat Enterprise Linux Server Tus | =8.4 | |
Redhat Enterprise Linux Server Tus | =8.6 | |
Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.4.0 | |
Oracle GraalVM | =19.3.1 | |
Oracle GraalVM | =20.0.0 | |
redhat/nodejs | <10.19.0 | 10.19.0 |
redhat/nodejs | <12.15.0 | 12.15.0 |
redhat/nodejs | <13.8.0 | 13.8.0 |
Nodejs Node.js | >=13.0.0<13.8.0 | |
ubuntu/nodejs | <8.10.0~dfsg-2ubuntu0.4+ | 8.10.0~dfsg-2ubuntu0.4+ |
ubuntu/nodejs | <4.2.6~dfsg-1ubuntu4.2+ | 4.2.6~dfsg-1ubuntu4.2+ |
debian/nodejs | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u4 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 18.19.0+dfsg-6~deb12u1 18.20.1+dfsg-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2019-15604 is a vulnerability in Node.js that causes the process to crash when handling TLS client authentication.
The severity of CVE-2019-15604 is medium with a CVSS score of 5.9.
CVE-2019-15604 affects Node.js versions 10, 12, and 13, causing the process to crash when handling TLS client authentication.
To fix CVE-2019-15604 in Node.js, upgrade to the patched versions: 10.24.0~dfsg-1~deb10u1 or 10.24.0~dfsg-1~deb10u3 for Debian, 12.22.12~dfsg-1~deb11u3 or 12.22.12~dfsg-1~deb11u4 for Debian, and 18.13.0+dfsg1-1 for Ubuntu.
You can find more information about CVE-2019-15604 on the following websites: HackerOne (https://hackerone.com/reports/746733), GitHub (https://github.com/nodejs/node/commit/f940bee3b7da865e28093472dee9ce664f273f6d), and Debian Security Tracker (https://security-tracker.debian.org/tracker/CVE-2019-15604).