CVE-2019-15606
CRITICALNode.js 10.0.0-10.18.1, 13.0.0-13.7.0 - Authorization Bypass via HTTP Header Trailing Whitespace
Title source: llmDescription
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
References (16)
Core 16
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0573
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0579
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0597
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0598
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0602
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-48
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4669
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/release/v13.8.0/
Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
Release Notes, Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/release/v10.19.0/
Release Notes, Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/release/v12.15.0/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200221-0004/
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/730779
Scores
CVSS v3
9.8
EPSS
0.0134
EPSS Percentile
80.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (9)
debian/debian_linux
10.0
nodejs/node.js
10.0.0 - 10.19.0
nodejs/node.js
13.0.0 - 13.8.0
opensuse/leap
15.1
oracle/communications_cloud_native_core_network_function_cloud_native_environment
1.4.0
oracle/graalvm
19.3.1
oracle/graalvm
20.0.0
redhat/enterprise_linux
8.0
redhat/enterprise_linux_eus
8.1
Published
Feb 07, 2020
Tracked Since
Feb 18, 2026