CVE-2019-15605
N/A
N/A
Summary
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| NodeJS | Node | 4.0 < 4.* | affected |
| NodeJS | Node | 5.0 < 5.* | affected |
| NodeJS | Node | 6.0 < 6.* | affected |
| NodeJS | Node | 7.0 < 7.* | affected |
| NodeJS | Node | 8.0 < 8.* | affected |
| NodeJS | Node | 9.0 < 9.* | affected |
| NodeJS | Node | 10.0 < 10.19.0 | affected |
| NodeJS | Node | 11.0 < 11.* | affected |
| NodeJS | Node | 12.0 < 12.15.0 | affected |
| NodeJS | Node | 13.0 < 13.8.0 | affected |
Weaknesses
- CWE-444: HTTP Request Smuggling (CWE-444)
ADP Enrichment
CVE Program Container
Additional References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0703
- https://access.redhat.com/errata/RHSA-2020:0707
- https://access.redhat.com/errata/RHSA-2020:0708
- https://security.gentoo.org/glsa/202003-48
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://hackerone.com/reports/735748
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0703
- https://access.redhat.com/errata/RHSA-2020:0707
- https://access.redhat.com/errata/RHSA-2020:0708
- https://security.gentoo.org/glsa/202003-48
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://hackerone.com/reports/735748
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.