Search for vulnerabilities
Vulnerability details: VCID-pbkh-mkz6-gubx
Vulnerability ID VCID-pbkh-mkz6-gubx
Aliases CVE-2019-15606
Summary Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-138 Improper Neutralization of Special Elements
System Score Found at
cvssv3 4.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15606.json
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.02287 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.03456 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.03456 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.03456 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.03456 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
epss 0.03456 https://api.first.org/data/v1/epss?cve=CVE-2019-15606
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2019-15606
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2019-15606
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
https://access.redhat.com/errata/RHSA-2020:0573
https://access.redhat.com/errata/RHSA-2020:0579
https://access.redhat.com/errata/RHSA-2020:0597
https://access.redhat.com/errata/RHSA-2020:0598
https://access.redhat.com/errata/RHSA-2020:0602
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15606.json
https://api.first.org/data/v1/epss?cve=CVE-2019-15606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/730779
https://nodejs.org/en/blog/release/v10.19.0/
https://nodejs.org/en/blog/release/v12.15.0/
https://nodejs.org/en/blog/release/v13.8.0/
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
https://security.gentoo.org/glsa/202003-48
https://security.netapp.com/advisory/ntap-20200221-0004/
https://www.debian.org/security/2020/dsa-4669
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com//security-alerts/cpujul2021.html
1800366 https://bugzilla.redhat.com/show_bug.cgi?id=1800366
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.4.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm:19.3.1:*:*:*:enterprise:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:graalvm:19.3.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.0.0:*:*:*:enterprise:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:graalvm:20.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
CVE-2019-15606 https://nvd.nist.gov/vuln/detail/CVE-2019-15606
USN-6380-1 https://usn.ubuntu.com/6380-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15606.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-15606
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-15606
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.8404
EPSS Score 0.02287
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:28:58.920323+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.11/main.json 37.0.0