CVE-2019-15606

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-15606

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-15606.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-15606

Downstream

ALPINE-CVE-2019-15606

BELL-CVE-2019-15606

CLEANSTART-2026-JY06700

CLEANSTART-2026-KN34553

CLEANSTART-2026-LN12820

CLEANSTART-2026-WI75198

DEBIAN-CVE-2019-15606

DSA-4669-1

RHSA-2020:0573

RHSA-2020:0579

RHSA-2020:0597

RHSA-2020:0598

RHSA-2020:0602

RLSA-2020:0579

RLSA-2020:0598

SUSE-SU-2020:0427-1

SUSE-SU-2020:0429-1

SUSE-SU-2020:0454-1

SUSE-SU-2020:0455-1

SUSE-SU-2020:0488-1

UBUNTU-CVE-2019-15606

USN-6380-1

openSUSE-SU-2020:0293-1

Related

Published

2020-02-07T15:15:11.413Z

Modified

2026-03-15T22:31:39.522437Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

References

Affected packages

Git / github.com/graalvm/graalvm-ce-builds

Affected ranges

Type

GIT

Repo

https://github.com/graalvm/graalvm-ce-builds

Events

Introduced

Last affected

a73b2856ee6290a92e3b199b17b217d31e9f9254

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "19.3.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/nodejs/node

Events

Introduced

cf41627411886000429bde058a6594fb7f6d6d47

Fixed

5ba7df3c4b81ab695029dacf34a0aa960be71372

Introduced

2f45ad8060e13d5ac912335096d21526f2f9602b

Fixed

31d3b6d9cbf6f533e7990fa1b7f82976bc384c64

Introduced

111e59b0bcbd364d6f16722ace6dd035e23df2cc

Fixed

6558cfc0b075adfffe0d8c87bbe0d3e0b9326ab5

Introduced

Last affected

e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0

Introduced

Last affected

cf41627411886000429bde058a6594fb7f6d6d47

Introduced

Last affected

0d8021e5a4cf0a6aa3a700a361f6d42c2894f2ba

Introduced

Last affected

f6fc46e03674ab1896792b7363ecac0665b5e0c5

Introduced

Last affected

2291e079f22e6df1f7683a05d17364b2ab3bfdab

Database specific

{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.19.0"
        },
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.15.0"
        },
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.8.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "20.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "10.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "15.1"
        }
    ]
}

Affected versions

v10.*

v10.0.0

v10.1.0

v10.10.0

v10.11.0

v10.12.0

v10.13.0

v10.14.0

v10.14.1

v10.14.2

v10.15.0

v10.15.1

v10.15.2

v10.15.3

v10.16.0

v10.16.1

v10.16.2

v10.16.3

v10.17.0

v10.18.0

v10.18.1

v10.2.0

v10.2.1

v10.3.0

v10.4.0

v10.4.1

v10.5.0

v10.6.0

v10.7.0

v10.8.0

v10.9.0

vm-19.*

vm-19.3.0

vm-19.3.0.2

vm-19.3.1

vm-20.*

vm-20.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-15606.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.4.0"
            }
        ]
    }
]