Bug 1800364 (CVE-2019-15605) - CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encoding header
Summary: CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encodi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-15605
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1800371 1800372 1800373 1800374 1800375 1800376 1800377 1800378 1800379 1800380 1800381 1802486 1802487 1802488 1802489 1802490 1802501 1803853 1803854 1821340
Blocks: 1800362
TreeView+ depends on / blocked
 
Reported: 2020-02-07 00:12 UTC by Jason Shepherd
Modified: 2020-04-21 11:14 UTC (History)
18 users (show)

Fixed In Version: nodejs 10.19.0, nodejs 12.15.0, nodejs 13.8.0, http-parser 2.9.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.
Clone Of:
Environment:
Last Closed: 2020-02-24 15:49:45 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0611 None None None 2020-02-26 11:52:40 UTC
Red Hat Product Errata RHBA-2020:0612 None None None 2020-02-26 12:02:11 UTC
Red Hat Product Errata RHBA-2020:0618 None None None 2020-02-26 15:00:43 UTC
Red Hat Product Errata RHBA-2020:0626 None None None 2020-02-27 08:31:20 UTC
Red Hat Product Errata RHBA-2020:0636 None None None 2020-02-27 15:53:25 UTC
Red Hat Product Errata RHBA-2020:0646 None None None 2020-03-02 08:04:15 UTC
Red Hat Product Errata RHBA-2020:0647 None None None 2020-03-02 08:01:53 UTC
Red Hat Product Errata RHBA-2020:0648 None None None 2020-03-02 08:08:17 UTC
Red Hat Product Errata RHBA-2020:0650 None None None 2020-03-02 10:20:42 UTC
Red Hat Product Errata RHBA-2020:0736 None None None 2020-03-09 06:33:27 UTC
Red Hat Product Errata RHSA-2020:0573 None None None 2020-02-24 12:53:48 UTC
Red Hat Product Errata RHSA-2020:0579 None None None 2020-02-25 08:36:33 UTC
Red Hat Product Errata RHSA-2020:0597 None None None 2020-02-25 13:04:40 UTC
Red Hat Product Errata RHSA-2020:0598 None None None 2020-02-25 13:39:26 UTC
Red Hat Product Errata RHSA-2020:0602 None None None 2020-02-25 15:53:20 UTC
Red Hat Product Errata RHSA-2020:0703 None None None 2020-03-04 12:44:02 UTC
Red Hat Product Errata RHSA-2020:0707 None None None 2020-03-04 17:17:06 UTC
Red Hat Product Errata RHSA-2020:0708 None None None 2020-03-04 17:27:38 UTC
Red Hat Product Errata RHSA-2020:1510 None None None 2020-04-21 11:14:30 UTC

Description Jason Shepherd 2020-02-07 00:12:24 UTC
Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.

Downloads & release details

* Node.js v10.19.0 (LTS) - https://nodejs.org/en/blog/release/v10.19.0/
* Node.js v12.15.0 (LTS) - https://nodejs.org/en/blog/release/v12.15.0/
* Node.js v13.8.0 (LTS) - https://nodejs.org/en/blog/release/v13.8.0/

Comment 2 Doran Moppert 2020-02-07 00:58:41 UTC
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1800376]

Comment 5 Jason Shepherd 2020-02-12 00:01:52 UTC
Also fixed in http-parser-js 2.9.3 see: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b

Comment 6 Jason Shepherd 2020-02-12 23:45:01 UTC
Actually the commit in the previous comment refers to the 'http-parser' c library that ships in Fedora and RHEL. Not the http-parser-js javascript library as previously mentioned.

Comment 7 Cedric Buissart 2020-02-13 10:21:12 UTC
Created http-parser tracking bugs for this issue:

Affects: fedora-all [bug 1802501]

Comment 8 Tomas Hoger 2020-02-13 20:37:44 UTC
External References:

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

Comment 14 errata-xmlrpc 2020-02-24 12:53:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0573

Comment 15 Product Security DevOps Team 2020-02-24 15:49:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15605

Comment 16 errata-xmlrpc 2020-02-25 08:36:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0579

Comment 17 errata-xmlrpc 2020-02-25 13:04:38 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0597

Comment 18 errata-xmlrpc 2020-02-25 13:39:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0598

Comment 19 errata-xmlrpc 2020-02-25 15:53:18 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0602

Comment 20 errata-xmlrpc 2020-03-04 12:44:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0703 https://access.redhat.com/errata/RHSA-2020:0703

Comment 21 errata-xmlrpc 2020-03-04 17:17:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0707 https://access.redhat.com/errata/RHSA-2020:0707

Comment 22 errata-xmlrpc 2020-03-04 17:27:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0708 https://access.redhat.com/errata/RHSA-2020:0708

Comment 25 errata-xmlrpc 2020-04-21 11:14:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1510 https://access.redhat.com/errata/RHSA-2020:1510


Note You need to log in before you can comment on or make changes to this bug.