CVE-2019-15605

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2019-15605
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0573 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0579 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0597 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0598 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0602 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0703 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0707 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0708 Third Party Advisory
https://hackerone.com/reports/735748 Permissions Required Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
https://nodejs.org/en/blog/release/v10.19.0/ Release Notes Vendor Advisory
https://nodejs.org/en/blog/release/v12.15.0/ Release Notes Vendor Advisory
https://nodejs.org/en/blog/release/v13.8.0/ Vendor Advisory
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/ Vendor Advisory
https://security.gentoo.org/glsa/202003-48 Third Party Advisory
https://security.netapp.com/advisory/ntap-20200221-0004/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4669 Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Patch Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:a:oracle:graalvm:19.3.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.0.0:*:*:*:enterprise:*:*:*
History

07 Mar 2024, 21:24

Type Values Removed Values Added
CPE cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

07 Nov 2023, 03:05

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/', 'name': 'FEDORA-2020-47efc31973', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/', 'name': 'FEDORA-2020-3838c8ea98', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/ -

16 Nov 2022, 02:55

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20200221-0004/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20200221-0004/ - Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2020:0598 - (REDHAT) https://access.redhat.com/errata/RHSA-2020:0598 - Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2020/dsa-4669 - (DEBIAN) https://www.debian.org/security/2020/dsa-4669 - Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/ - Mailing List, Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2020:0708 - (REDHAT) https://access.redhat.com/errata/RHSA-2020:0708 - Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2020:0579 - (REDHAT) https://access.redhat.com/errata/RHSA-2020:0579 - Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2020:0597 - (REDHAT) https://access.redhat.com/errata/RHSA-2020:0597 - Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html - Mailing List, Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2020:0573 - (REDHAT) https://access.redhat.com/errata/RHSA-2020:0573 - Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2020:0707 - (REDHAT) https://access.redhat.com/errata/RHSA-2020:0707 - Third Party Advisory
References (N/A) https://www.oracle.com/security-alerts/cpuapr2020.html - (N/A) https://www.oracle.com/security-alerts/cpuapr2020.html - Patch, Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2020:0703 - (REDHAT) https://access.redhat.com/errata/RHSA-2020:0703 - Third Party Advisory
References (GENTOO) https://security.gentoo.org/glsa/202003-48 - (GENTOO) https://security.gentoo.org/glsa/202003-48 - Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2020:0602 - (REDHAT) https://access.redhat.com/errata/RHSA-2020:0602 - Third Party Advisory
CPE cpe:2.3:a:oracle:graalvm:20.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm:19.3.1:*:*:*:enterprise:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
First Time Fedoraproject fedora
Oracle graalvm
Redhat
Redhat enterprise Linux Eus
Redhat enterprise Linux Server Aus
Opensuse leap
Redhat enterprise Linux Desktop
Debian
Redhat enterprise Linux Server Tus
Redhat enterprise Linux Server
Redhat enterprise Linux
Redhat software Collections
Fedoraproject
Debian debian Linux
Oracle
Redhat enterprise Linux Workstation
Opensuse
Information

Published : 2020-02-07 15:15

Updated : 2024-03-07 21:24

NVD link : CVE-2019-15605

Mitre link : CVE-2019-15605

CVE.ORG link : CVE-2019-15605

JSON object : View

Products Affected

redhat

  • software_collections
  • enterprise_linux_server_tus
  • enterprise_linux_desktop
  • enterprise_linux_server
  • enterprise_linux_workstation
  • enterprise_linux_server_aus
  • enterprise_linux
  • enterprise_linux_eus

oracle

  • graalvm

opensuse

  • leap

nodejs

  • node.js

debian

  • debian_linux

fedoraproject

  • fedora
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')