Vulnerability Details CVE-2019-15605
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
Exploit prediction scoring system (EPSS) score
EPSS Score 0.339
EPSS Ranking 96.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- https://access.redhat.com/errata/RHSA-2020:0703
- https://access.redhat.com/errata/RHSA-2020:0707
- https://access.redhat.com/errata/RHSA-2020:0708
- https://hackerone.com/reports/735748
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- https://access.redhat.com/errata/RHSA-2020:0703
- https://access.redhat.com/errata/RHSA-2020:0707
- https://access.redhat.com/errata/RHSA-2020:0708
- https://hackerone.com/reports/735748
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
Products affected by CVE-2019-15605
-
cpe:2.3:a:nodejs:node.js:10.0.0
-
cpe:2.3:a:nodejs:node.js:10.1.0
-
cpe:2.3:a:nodejs:node.js:10.10.0
-
cpe:2.3:a:nodejs:node.js:10.11.0
-
cpe:2.3:a:nodejs:node.js:10.12.0
-
cpe:2.3:a:nodejs:node.js:10.13.0
-
cpe:2.3:a:nodejs:node.js:10.14.0
-
cpe:2.3:a:nodejs:node.js:10.14.1
-
cpe:2.3:a:nodejs:node.js:10.14.2
-
cpe:2.3:a:nodejs:node.js:10.15.0
-
cpe:2.3:a:nodejs:node.js:10.15.1
-
cpe:2.3:a:nodejs:node.js:10.15.2
-
cpe:2.3:a:nodejs:node.js:10.15.3
-
cpe:2.3:a:nodejs:node.js:10.16.0
-
cpe:2.3:a:nodejs:node.js:10.16.1
-
cpe:2.3:a:nodejs:node.js:10.16.2
-
cpe:2.3:a:nodejs:node.js:10.16.3
-
cpe:2.3:a:nodejs:node.js:10.17.0
-
cpe:2.3:a:nodejs:node.js:10.18.0
-
cpe:2.3:a:nodejs:node.js:10.18.1
-
cpe:2.3:a:nodejs:node.js:10.2.0
-
cpe:2.3:a:nodejs:node.js:10.2.1
-
cpe:2.3:a:nodejs:node.js:10.3.0
-
cpe:2.3:a:nodejs:node.js:10.4.0
-
cpe:2.3:a:nodejs:node.js:10.4.1
-
cpe:2.3:a:nodejs:node.js:10.5.0
-
cpe:2.3:a:nodejs:node.js:10.6.0
-
cpe:2.3:a:nodejs:node.js:10.7.0
-
cpe:2.3:a:nodejs:node.js:10.8.0
-
cpe:2.3:a:nodejs:node.js:10.9.0
-
cpe:2.3:a:nodejs:node.js:12.0.0
-
cpe:2.3:a:nodejs:node.js:12.1.0
-
cpe:2.3:a:nodejs:node.js:12.10.0
-
cpe:2.3:a:nodejs:node.js:12.11.0
-
cpe:2.3:a:nodejs:node.js:12.11.1
-
cpe:2.3:a:nodejs:node.js:12.12.0
-
cpe:2.3:a:nodejs:node.js:12.13.0
-
cpe:2.3:a:nodejs:node.js:12.13.1
-
cpe:2.3:a:nodejs:node.js:12.14.0
-
cpe:2.3:a:nodejs:node.js:12.14.1
-
cpe:2.3:a:nodejs:node.js:12.2.0
-
cpe:2.3:a:nodejs:node.js:12.3.0
-
cpe:2.3:a:nodejs:node.js:12.3.1
-
cpe:2.3:a:nodejs:node.js:12.4.0
-
cpe:2.3:a:nodejs:node.js:12.5.0
-
cpe:2.3:a:nodejs:node.js:12.6.0
-
cpe:2.3:a:nodejs:node.js:12.7.0
-
cpe:2.3:a:nodejs:node.js:12.8.0
-
cpe:2.3:a:nodejs:node.js:12.8.1
-
cpe:2.3:a:nodejs:node.js:12.9.0
-
cpe:2.3:a:nodejs:node.js:12.9.1
-
cpe:2.3:a:nodejs:node.js:13.0.0
-
cpe:2.3:a:nodejs:node.js:13.0.1
-
cpe:2.3:a:nodejs:node.js:13.1.0
-
cpe:2.3:a:nodejs:node.js:13.2.0
-
cpe:2.3:a:nodejs:node.js:13.3.0
-
cpe:2.3:a:nodejs:node.js:13.4.0
-
cpe:2.3:a:nodejs:node.js:13.5.0
-
cpe:2.3:a:nodejs:node.js:13.6.0
-
cpe:2.3:a:nodejs:node.js:13.7.0
-
cpe:2.3:a:oracle:graalvm:19.3.1
-
cpe:2.3:a:oracle:graalvm:20.0.0
-
cpe:2.3:a:redhat:software_collections:1.0
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:fedoraproject:fedora:30
-
cpe:2.3:o:opensuse:leap:15.1
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
-
cpe:2.3:o:redhat:enterprise_linux_eus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_eus:8.1
-
cpe:2.3:o:redhat:enterprise_linux_eus:8.2
-
cpe:2.3:o:redhat:enterprise_linux_eus:8.4
-
cpe:2.3:o:redhat:enterprise_linux_eus:8.6
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6
-
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0