CVE-2019-5737
First published: Wed Mar 20 2019(Updated: )
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
Credit: cve-request@iojs.org cve-request@iojs.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nodejs Node.js | >=6.0.0<6.17.0 | |
| Nodejs Node.js | >=8.0.0<8.15.1 | |
| Nodejs Node.js | >=10.0.0<10.15.2 | |
| Nodejs Node.js | >=11.0.0<11.10.1 | |
| openSUSE Leap | =42.3 | |
| redhat/nodejs | <6.17.0 | 6.17.0 |
| redhat/nodejs | <8.15.1 | 8.15.1 |
| redhat/nodejs | <10.15.2 | 10.15.2 |
| redhat/nodejs | <11.10.1 | 11.10.1 |
| >=6.0.0<6.17.0 | ||
| >=8.0.0<8.15.1 | ||
| >=10.0.0<10.15.2 | ||
| >=11.0.0<11.10.1 | ||
| =42.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html
- https://access.redhat.com/errata/RHSA-2019:1821
- https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20190502-0008/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1690814
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1690815
- https://github.com/nodejs/node/commit/1a7302bd48
- https://nodejs.org/ja/blog/vulnerability/february-2019-security-releases/
- https://access.redhat.com/security/cve/cve-2019-5737
- https://access.redhat.com/errata/RHSA-2019:2939
- https://access.redhat.com/errata/RHSA-2019:2925
- https://bugzilla.redhat.com/show_bug.cgi?id=1690808
- collector/nvd-index
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-5737
- agent/software-canonical-lookup
- agent/references
- agent/description
- agent/event
- agent/severity
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/6.0.0
- version/nodejs node.js/8.0.0
- version/nodejs node.js/10.0.0
- version/nodejs node.js/11.0.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/42.3
- package-manager/redhat