CVE-2019-15606: Input Validation
First published: Fri Feb 07 2020(Updated: )
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nodejs Node.js | >=10.0.0<10.19.0 | |
| Nodejs Node.js | >=12.0.0<12.15.0 | |
| Nodejs Node.js | >=13.0.0<13.8.0 | |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.4.0 | |
| Oracle GraalVM | =19.3.1 | |
| Oracle GraalVM | =20.0.0 | |
| Debian Debian Linux | =10.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Eus | =8.1 | |
| openSUSE Leap | =15.1 | |
| redhat/nodejs | <10.19.0 | 10.19.0 |
| redhat/nodejs | <12.15.0 | 12.15.0 |
| redhat/nodejs | <13.8.0 | 13.8.0 |
| Nodejs Node.js | >=13.0.0<13.8.0 | |
| debian/nodejs | 12.22.12~dfsg-1~deb11u4 12.22.12~dfsg-1~deb11u5 18.19.0+dfsg-6~deb12u2 18.19.0+dfsg-6~deb12u1 20.17.0+dfsg-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- https://hackerone.com/reports/730779
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://launchpad.net/bugs/cve/CVE-2019-15606
- https://github.com/nodejs/node/commit/25b6897e8a
- https://access.redhat.com/security/cve/cve-2019-15606
- https://bugzilla.redhat.com/show_bug.cgi?id=1800366
- https://exchange.xforce.ibmcloud.com/vulnerabilities/175914
- https://www.ibm.com/support/pages/node/6214472 (Advisory)
- https://github.com/nodejs/node/commit/2eee90e959ca4abaf53caf238d063c396f2ea17c
- https://security-tracker.debian.org/tracker/CVE-2019-15606
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606
- https://nvd.nist.gov/vuln/detail/CVE-2019-15606
- https://ubuntu.com/security/CVE-2019-15606
Frequently Asked Questions
What is CVE-2019-15606?
CVE-2019-15606 is a vulnerability in Nodejs 10, 12, and 13 that allows bypass of authorization based on header value comparisons by including trailing white space in HTTP header values.
What is the severity of CVE-2019-15606?
The severity of CVE-2019-15606 is medium, with a severity value of 4.
How does CVE-2019-15606 affect Nodejs?
CVE-2019-15606 affects Nodejs versions 10, 12, and 13.
How can the CVE-2019-15606 vulnerability be fixed?
To fix the CVE-2019-15606 vulnerability, update Nodejs to the recommended versions: 10.24.0~dfsg-1~deb10u1, 10.24.0~dfsg-1~deb10u3, 12.22.12~dfsg-1~deb11u3, 12.22.12~dfsg-1~deb11u4, or 18.13.0+dfsg1-1.
Where can I find more information about CVE-2019-15606?
You can find more information about CVE-2019-15606 at the following references: [1] HackerOne report: https://hackerone.com/reports/730779 [2] Nodejs commit: https://github.com/nodejs/node/commit/2eee90e959ca4abaf53caf238d063c396f2ea17c [3] Debian Security Tracker: https://security-tracker.debian.org/tracker/CVE-2019-15606
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-15606
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- collector/nvd-api
- source/NVD
- agent/author
- collector/nvd-cve
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/trending
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/10.0.0
- version/nodejs node.js/12.0.0
- version/nodejs node.js/13.0.0
- vendor/oracle
- canonical/oracle communications cloud native core network function cloud native environment
- version/oracle communications cloud native core network function cloud native environment/1.4.0
- canonical/oracle graalvm
- version/oracle graalvm/19.3.1
- version/oracle graalvm/20.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/8.1
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- package-manager/redhat
- package-manager/debian