CVE-2019-15605 - OpenCVE

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Enterprise Linux Enterprise Linux Server Aus Software Collections Enterprise Linux Server Tus Enterprise Linux Desktop Enterprise Linux Workstation Enterprise Linux Server Enterprise Linux Eus
Opensuse	Leap
Oracle	Graalvm
Fedoraproject	Fedora
Debian	Debian Linux
Nodejs	Node.js

Configuration 1 [-]

OR	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 5 [-]

OR	cpe:2.3:a:redhat:software_collections:1.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Configuration 6 [-]

OR	cpe:2.3:a:oracle:graalvm:19.3.1::::enterprise:::
	cpe:2.3:a:oracle:graalvm:20.0.0::::enterprise:::

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html	Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0573	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0579	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0597	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0598	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0602	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0703	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0707	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0708	Third Party Advisory
https://hackerone.com/reports/735748	Permissions Required Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
https://nodejs.org/en/blog/release/v10.19.0/	Release Notes Vendor Advisory
https://nodejs.org/en/blog/release/v12.15.0/	Release Notes Vendor Advisory
https://nodejs.org/en/blog/release/v13.8.0/	Vendor Advisory
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/	Vendor Advisory
https://security.gentoo.org/glsa/202003-48	Third Party Advisory
https://security.netapp.com/advisory/ntap-20200221-0004/	Third Party Advisory
https://www.debian.org/security/2020/dsa-4669	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Patch Third Party Advisory