Bug 1800366 (CVE-2019-15606) - CVE-2019-15606 nodejs: HTTP header values do not have trailing optional whitespace trimmed
Summary: CVE-2019-15606 nodejs: HTTP header values do not have trailing optional white...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-15606
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1800385 1800387 1800389 1800391 1800393 1800395 1800397 1800399 1800401 1800403
Blocks: 1800362
TreeView+ depends on / blocked
 
Reported: 2020-02-07 00:21 UTC by Jason Shepherd
Modified: 2020-07-14 00:44 UTC (History)
13 users (show)

Fixed In Version: nodejs 10.19.0, nodejs 12.15.0, nodejs 13.8.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js where the HTTP(s) header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTP(s) request which is validated by an upstream proxy server, but not by the Node.js HTTP(s) server.
Clone Of:
Environment:
Last Closed: 2020-02-24 15:49:49 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0611 None None None 2020-02-26 11:52:38 UTC
Red Hat Product Errata RHBA-2020:0612 None None None 2020-02-26 12:02:13 UTC
Red Hat Product Errata RHBA-2020:0618 None None None 2020-02-26 15:00:45 UTC
Red Hat Product Errata RHBA-2020:0626 None None None 2020-02-27 08:31:19 UTC
Red Hat Product Errata RHBA-2020:0636 None None None 2020-02-27 15:53:25 UTC
Red Hat Product Errata RHBA-2020:0646 None None None 2020-03-02 08:04:16 UTC
Red Hat Product Errata RHBA-2020:0647 None None None 2020-03-02 08:01:55 UTC
Red Hat Product Errata RHBA-2020:0648 None None None 2020-03-02 08:08:19 UTC
Red Hat Product Errata RHBA-2020:0650 None None None 2020-03-02 10:20:42 UTC
Red Hat Product Errata RHSA-2020:0573 None None None 2020-02-24 12:54:05 UTC
Red Hat Product Errata RHSA-2020:0579 None None None 2020-02-25 08:36:33 UTC
Red Hat Product Errata RHSA-2020:0597 None None None 2020-02-25 13:04:41 UTC
Red Hat Product Errata RHSA-2020:0598 None None None 2020-02-25 13:39:27 UTC
Red Hat Product Errata RHSA-2020:0602 None None None 2020-02-25 15:53:22 UTC

Description Jason Shepherd 2020-02-07 00:21:00 UTC
Optional whitespace should be trimmed from HTTP header values. Its presence may allow attackers to bypass security checks based on HTTP header values.

Comment 3 Tomas Hoger 2020-02-13 20:39:16 UTC
External References:

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

Comment 5 errata-xmlrpc 2020-02-24 12:54:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0573

Comment 6 Product Security DevOps Team 2020-02-24 15:49:49 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15606

Comment 7 errata-xmlrpc 2020-02-25 08:36:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0579

Comment 8 errata-xmlrpc 2020-02-25 13:04:39 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0597

Comment 9 errata-xmlrpc 2020-02-25 13:39:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0598

Comment 10 errata-xmlrpc 2020-02-25 15:53:20 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0602


Note You need to log in before you can comment on or make changes to this bug.