CVE-2019-15604

CVE-2019-15604

Name

CVE-2019-15604

Description

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Vendor Advisory	https://nodejs.org/en/blog/release/v13.8.0/
Exploit	https://hackerone.com/reports/746733
Vendor Advisory	https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
Release Notes	https://nodejs.org/en/blog/release/v10.19.0/
Release Notes	https://nodejs.org/en/blog/release/v12.15.0/
REDHAT	https://access.redhat.com/errata/RHSA-2020:0573
CONFIRM	https://security.netapp.com/advisory/ntap-20200221-0004/
REDHAT	https://access.redhat.com/errata/RHSA-2020:0579
REDHAT	https://access.redhat.com/errata/RHSA-2020:0598
REDHAT	https://access.redhat.com/errata/RHSA-2020:0597
REDHAT	https://access.redhat.com/errata/RHSA-2020:0602
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
GENTOO	https://security.gentoo.org/glsa/202003-48
N/A	https://www.oracle.com/security-alerts/cpuapr2020.html
DEBIAN	https://www.debian.org/security/2020/dsa-4669
N/A	https://www.oracle.com//security-alerts/cpujul2021.html

Type

URI

Vendor Advisory

https://nodejs.org/en/blog/release/v13.8.0/

Exploit

https://hackerone.com/reports/746733

Vendor Advisory

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

Release Notes

https://nodejs.org/en/blog/release/v10.19.0/

Release Notes

https://nodejs.org/en/blog/release/v12.15.0/

REDHAT

https://access.redhat.com/errata/RHSA-2020:0573

CONFIRM

https://security.netapp.com/advisory/ntap-20200221-0004/

REDHAT

https://access.redhat.com/errata/RHSA-2020:0579

REDHAT

https://access.redhat.com/errata/RHSA-2020:0598

REDHAT

https://access.redhat.com/errata/RHSA-2020:0597

REDHAT

https://access.redhat.com/errata/RHSA-2020:0602

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html

GENTOO

https://security.gentoo.org/glsa/202003-48

N/A

https://www.oracle.com/security-alerts/cpuapr2020.html

DEBIAN

https://www.debian.org/security/2020/dsa-4669

N/A

https://www.oracle.com//security-alerts/cpujul2021.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 13.0.0	< 13.8.0
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 12.0.0	< 12.15.0
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 10.0.0	< 10.19.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 13.0.0

< 13.8.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 12.0.0

< 12.15.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 10.0.0

< 10.19.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nodejs	edge-main	12.15.0-r0	None	fixed
nodejs-current	edge-community	13.11.0-r0	None	fixed
nodejs	3.22-main	12.15.0-r0	None	fixed
nodejs-current	3.22-community	13.11.0-r0	None	fixed
nodejs	3.21-main	12.15.0-r0	None	fixed
nodejs-current	3.21-community	13.11.0-r0	None	fixed
nodejs	3.20-main	12.15.0-r0	None	fixed
nodejs-current	3.20-community	13.11.0-r0	None	fixed
nodejs	3.19-main	12.15.0-r0	None	fixed
nodejs-current	3.19-community	13.11.0-r0	None	fixed
nodejs	3.18-main	12.15.0-r0	None	fixed
nodejs-current	3.18-community	13.11.0-r0	None	fixed
nodejs	3.17-main	12.15.0-r0	None	fixed
nodejs-current	3.17-community	13.11.0-r0	None	fixed
nodejs	3.12-main	12.15.0-r0	None	fixed
nodejs	3.11-main	12.15.0-r0	None	fixed
nodejs	3.10-main	10.19.0-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

nodejs

edge-main

12.15.0-r0

None

fixed

nodejs-current

edge-community