{ "threat_severity" : "Moderate", "public_date" : "2020-02-07T00:00:00Z", "bugzilla" : { "description" : "nodejs: HTTP header values do not have trailing optional whitespace trimmed", "id" : "1800366", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1800366" }, "cvss3" : { "cvss3_base_score" : "4.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-138", "details" : [ "Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons", "A flaw was found in Node.js where the HTTP(s) header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTP(s) request which is validated by an upstream proxy server, but not by the Node.js HTTP(s) server." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0579", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:10-8010020200213140254.c27ad7f8" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0598", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:12-8010020200220143053.c27ad7f8" }, { "product_name" : "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date" : "2020-02-24T00:00:00Z", "advisory" : "RHSA-2020:0573", "cpe" : "cpe:/a:redhat:rhel_e4s:8.0", "package" : "nodejs:10-8000020200214110450.f8e95b4e" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0597", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.19.0-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0602", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs12-nodejs-0:12.16.1-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0597", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.19.0-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0602", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs12-nodejs-0:12.16.1-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0597", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.19.0-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0602", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs12-nodejs-0:12.16.1-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0597", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.19.0-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2020-02-25T00:00:00Z", "advisory" : "RHSA-2020:0602", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs12-nodejs-0:12.16.1-1.el7" } ], "package_state" : [ { "product_name" : "Red Hat Quay 3", "fix_state" : "Not affected", "package_name" : "nodejs", "cpe" : "cpe:/a:redhat:quay:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-15606\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-15606\nhttps://nodejs.org/en/blog/vulnerability/february-2020-security-releases/" ], "name" : "CVE-2019-15606", "csaw" : false }