CVE-2019-15604

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
nodejsnode.js
10.0.0 ≤
𝑥
< 10.19.0
nodejsnode.js
12.0.0 ≤
𝑥
< 12.15.0
nodejsnode.js
13.0.0 ≤
𝑥
< 13.8.0
debiandebian_linux
10.0
opensuseleap
15.1
redhatsoftware_collections
1.0
redhatenterprise_linux
8.0
redhatenterprise_linux_eus
8.1
redhatenterprise_linux_eus
8.2
redhatenterprise_linux_eus
8.4
redhatenterprise_linux_eus
8.6
redhatenterprise_linux_server_aus
8.2
redhatenterprise_linux_server_aus
8.4
redhatenterprise_linux_server_aus
8.6
redhatenterprise_linux_server_tus
8.2
redhatenterprise_linux_server_tus
8.4
redhatenterprise_linux_server_tus
8.6
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
1.4.0
oraclegraalvm
19.3.1
oraclegraalvm
20.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nodejs
bullseye
12.22.12~dfsg-1~deb11u4
fixed
stretch
ignored
bullseye (security)
12.22.12~dfsg-1~deb11u5
fixed
bookworm
18.19.0+dfsg-6~deb12u2
fixed
bookworm (security)
18.19.0+dfsg-6~deb12u1
fixed
sid
20.17.0+dfsg-2
fixed
trixie
20.17.0+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nodejs
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
ignored
bionic
Fixed 8.10.0~dfsg-2ubuntu0.4+esm2
released
xenial
Fixed 4.2.6~dfsg-1ubuntu4.2+esm2
released
trusty
not-affected
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
https://access.redhat.com/errata/RHSA-2020:0573
https://access.redhat.com/errata/RHSA-2020:0579
https://access.redhat.com/errata/RHSA-2020:0597
https://access.redhat.com/errata/RHSA-2020:0598
https://access.redhat.com/errata/RHSA-2020:0602
https://hackerone.com/reports/746733
https://nodejs.org/en/blog/release/v10.19.0/
https://nodejs.org/en/blog/release/v12.15.0/
https://nodejs.org/en/blog/release/v13.8.0/
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
https://security.gentoo.org/glsa/202003-48
https://security.netapp.com/advisory/ntap-20200221-0004/
https://www.debian.org/security/2020/dsa-4669
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
https://access.redhat.com/errata/RHSA-2020:0573
https://access.redhat.com/errata/RHSA-2020:0579
https://access.redhat.com/errata/RHSA-2020:0597
https://access.redhat.com/errata/RHSA-2020:0598
https://access.redhat.com/errata/RHSA-2020:0602
https://hackerone.com/reports/746733
https://nodejs.org/en/blog/release/v10.19.0/
https://nodejs.org/en/blog/release/v12.15.0/
https://nodejs.org/en/blog/release/v13.8.0/
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
https://security.gentoo.org/glsa/202003-48
https://security.netapp.com/advisory/ntap-20200221-0004/
https://www.debian.org/security/2020/dsa-4669
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html