CVE-2019-15606
Description
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
1.74
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2019-15605,CVE-2019-15606,CVE-2019-15604 are fixed in Node.js 12 (x64) (12.15.0) | Windows |
| Vulnerabilities CVE-2019-15605,CVE-2019-15606,CVE-2019-15604 are fixed in Node.js 12 (12.15.0) | Windows |
| Vulnerabilities CVE-2019-15605,CVE-2019-15606,CVE-2019-15604 are fixed in Node.js 10 (x64) (10.19.0) | Windows |
| Vulnerabilities CVE-2019-15605,CVE-2019-15606,CVE-2019-15604 are fixed in Node.js 10 (10.19.0) | Windows |
| Vulnerabilities CVE-2019-15605,CVE-2019-15606,CVE-2019-15604 are fixed in Node.js 13 (x64) (13.8.0) | Windows |
| Vulnerabilities CVE-2019-15605,CVE-2019-15606,CVE-2019-15604 are fixed in Node.js 13 (13.8.0) | Windows |
| Vulnerabilities CVE-2019-15605,CVE-2019-15606,CVE-2019-15604 are fixed in Node.js 10 (x64) (10.24.1) | Windows |
| Vulnerabilities CVE-2019-15606,CVE-2020-2799,CVE-2020-2802,CVE-2020-2803,CVE-2020-2900 are affected in Oracle GraalVM Enterprise Edition 19.3.1 | Windows |
| Vulnerabilities CVE-2019-15606,CVE-2020-2799,CVE-2020-2802,CVE-2020-2803,CVE-2020-2900 are affected in Oracle GraalVM Enterprise Edition 20.0.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 19.0 | Windows |
| nodejs security update(DSA-4669-1) nodejs_10.19.0~dfsg1-1_i386.deb | Linux |
| nodejs security update(DSA-4669-1) nodejs_10.19.0~dfsg1-1_amd64.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_10.19.0~dfsg-3ubuntu1.1_amd64.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_4.2.6~dfsg-1ubuntu4.2_i386.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_4.2.6~dfsg-1ubuntu4.2_amd64.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_8.10.0~dfsg-2ubuntu0.4_i386.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs_8.10.0~dfsg-2ubuntu0.4_amd64.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) libnode64_10.19.0~dfsg-3ubuntu1.1_amd64.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-dev_4.2.6~dfsg-1ubuntu4.2_i386.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-dev_4.2.6~dfsg-1ubuntu4.2_amd64.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-dev_8.10.0~dfsg-2ubuntu0.4_i386.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-dev_8.10.0~dfsg-2ubuntu0.4_amd64.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) libnode-dev_10.19.0~dfsg-3ubuntu1.1_amd64.deb | Linux |
| An open-source, cross-platform JavaScript runtime environment. (USN-6380-1) nodejs-legacy_4.2.6~dfsg-1ubuntu4.2_all.deb | Linux |
| (RHSA-2020:0579)Important: security update nodejs-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm | Linux |
| (RHSA-2020:0579)Important: security update nodejs-debuginfo-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm | Linux |
| (RHSA-2020:0579)Important: security update nodejs-debugsource-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm | Linux |
| (RHSA-2020:0579)Important: security update nodejs-devel-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm | Linux |
| (RHSA-2020:0579)Important: security update nodejs-devel-debuginfo-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm | Linux |
| (RHSA-2020:0579)Important: security update nodejs-docs-10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch.rpm | Linux |
| (RHSA-2020:0579)Important: security update nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.noarch.rpm | Linux |
| (RHSA-2020:0579)Important: security update nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.noarch.rpm | Linux |
| (RHSA-2020:0579)Important: security update npm-6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm | Linux |
| (RHSA-2020:0598)Important: security update nodejs-12.16.1-1.module+el8.1.0+5811+44509afe.x86_64.rpm | Linux |
| (RHSA-2020:0598)Important: security update nodejs-debuginfo-12.16.1-1.module+el8.1.0+5811+44509afe.x86_64.rpm | Linux |
| (RHSA-2020:0598)Important: security update nodejs-debugsource-12.16.1-1.module+el8.1.0+5811+44509afe.x86_64.rpm | Linux |
| (RHSA-2020:0598)Important: security update nodejs-devel-12.16.1-1.module+el8.1.0+5811+44509afe.x86_64.rpm | Linux |
| (RHSA-2020:0598)Important: security update nodejs-docs-12.16.1-1.module+el8.1.0+5811+44509afe.noarch.rpm | Linux |
| (RHSA-2020:0598)Important: security update nodejs-nodemon-1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch.rpm | Linux |
| (RHSA-2020:0598)Important: security update nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.noarch.rpm | Linux |
| (RHSA-2020:0598)Important: security update npm-6.13.4-1.12.16.1.1.module+el8.1.0+5811+44509afe.x86_64.rpm | Linux |
| Nodejs-nodemon update (ELSA-2020-1317) nodejs-nodemon-1.18.3-1.module+el8.1.0+5392+4d6b561f.noarch.rpm | Linux |
| Nodejs-packaging update (ELSA-2020-1317) nodejs-packaging-17-3.module+el8.1.0+5392+4d6b561f.noarch.rpm | Linux |
| CVE-2019-15606 | NCM |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-319043 | Node.js 10 (x64) (10.24.1) |
| PATCH-319042 | Node.js 10 (10.24.1) |
| PATCH-314017 | Node.js 13 (x64) (13.14.0) |
| PATCH-314016 | Node.js 13 (13.14.0) |
| PATCH-319043 | Node.js 10 (x64) (10.24.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234