Search for vulnerabilities
Vulnerability details: VCID-mg9f-35c4-aaaq
Vulnerability ID VCID-mg9f-35c4-aaaq
Aliases CVE-2019-15606
Summary Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-138 Improper Neutralization of Special Elements
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15606.html
rhas Important https://access.redhat.com/errata/RHSA-2020:0573
rhas Important https://access.redhat.com/errata/RHSA-2020:0579
rhas Important https://access.redhat.com/errata/RHSA-2020:0597
rhas Important https://access.redhat.com/errata/RHSA-2020:0602
cvssv3 4.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15606.json
epss 0.00940 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.00940 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.00940 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.01251 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.0174 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02683 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02683 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02683 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02683 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.03456 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.03456 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.03456 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.03456 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.35082 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1800366
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15604
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual Medium https://hackerone.com/reports/730779
generic_textual Medium https://nodejs.org/en/blog/release/v13.8.0/
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2019-15606
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2019-15606
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2019-15606
cvssv3.1 7.7 https://security.gentoo.org/glsa/202003-48
generic_textual HIGH https://security.gentoo.org/glsa/202003-48
cvssv3.1 7.5 https://www.debian.org/security/2020/dsa-4669
generic_textual HIGH https://www.debian.org/security/2020/dsa-4669
cvssv3.1 9.8 https://www.oracle.com/security-alerts/cpuapr2020.html
generic_textual CRITICAL https://www.oracle.com/security-alerts/cpuapr2020.html
cvssv3.1 5.3 https://www.oracle.com//security-alerts/cpujul2021.html
generic_textual MODERATE https://www.oracle.com//security-alerts/cpujul2021.html
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15606.html
https://access.redhat.com/errata/RHSA-2020:0598
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15606.json
https://api.first.org/data/v1/epss?cve=CVE-2019-15606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/730779
https://nodejs.org/en/blog/release/v10.19.0/
https://nodejs.org/en/blog/release/v12.15.0/
https://nodejs.org/en/blog/release/v13.8.0/
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
https://security.gentoo.org/glsa/202003-48
https://security.netapp.com/advisory/ntap-20200221-0004/
https://www.debian.org/security/2020/dsa-4669
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com//security-alerts/cpujul2021.html
1800366 https://bugzilla.redhat.com/show_bug.cgi?id=1800366
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.4.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm:19.3.1:*:*:*:enterprise:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:graalvm:19.3.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.0.0:*:*:*:enterprise:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:graalvm:20.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
CVE-2019-15606 https://nvd.nist.gov/vuln/detail/CVE-2019-15606
RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0573
RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0579
RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0597
RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0602
USN-6380-1 https://usn.ubuntu.com/6380-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15606.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-15606
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-15606
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-15606
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://security.gentoo.org/glsa/202003-48
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.debian.org/security/2020/dsa-4669
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpuapr2020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://www.oracle.com//security-alerts/cpujul2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.82843
EPSS Score 0.00940
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.