Vulnerability-Lookup

RHSA-2020:0579

Vulnerability from csaf_redhat - Published: 2020-02-25 08:39 - Updated: 2026-02-25 17:33

Summary

Red Hat Security Advisory: nodejs:10 security update

Severity

Important

Notes

Topic: An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (10.19.0). Security Fix(es): * nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605) * nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604) * nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606) * npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775) * npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776) * npm: Global node_modules Binary Overwrite (CVE-2019-16777) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2019-15604

An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-172 - Encoding Error

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2020:0579

CVE-2019-15605

A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE-2019-15606

A flaw was found in Node.js where the HTTP(s) header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTP(s) request which is validated by an upstream proxy server, but not by the Node.js HTTP(s) server.

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-138 - Improper Neutralization of Special Elements

CVE-2019-16775

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

CWE-20 - Improper Input Validation

CVE-2019-16776

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

CWE-20 - Improper Input Validation

CVE-2019-16777

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

CWE-20 - Improper Input Validation

References

URL

Category

	https://access.redhat.com/errata/RHSA-2020:0579	self
	https://access.redhat.com/security/updates/classi…	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1788301	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1788305	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1788310	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1800364	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1800366	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1800367	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2019-15604	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1800367	external
	https://www.cve.org/CVERecord?id=CVE-2019-15604	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-15604	external
	https://nodejs.org/en/blog/vulnerability/february…	external
	https://access.redhat.com/security/cve/CVE-2019-15605	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1800364	external
	https://www.cve.org/CVERecord?id=CVE-2019-15605	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-15605	external
	https://access.redhat.com/security/cve/CVE-2019-15606	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1800366	external
	https://www.cve.org/CVERecord?id=CVE-2019-15606	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-15606	external
	https://access.redhat.com/security/cve/CVE-2019-16775	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1788305	external
	https://www.cve.org/CVERecord?id=CVE-2019-16775	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-16775	external
	https://access.redhat.com/security/cve/CVE-2019-16776	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1788310	external
	https://www.cve.org/CVERecord?id=CVE-2019-16776	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-16776	external
	https://access.redhat.com/security/cve/CVE-2019-16777	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1788301	external
	https://www.cve.org/CVERecord?id=CVE-2019-16777	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-16777	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.\n\nThe following packages have been upgraded to a later upstream version: nodejs (10.19.0).\n\nSecurity Fix(es):\n\n* nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605)\n\n* nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604)\n\n* nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606)\n\n* npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775)\n\n* npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776)\n\n* npm: Global node_modules Binary Overwrite (CVE-2019-16777)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2020:0579",
        "url": "https://access.redhat.com/errata/RHSA-2020:0579"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1788301",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1788301"
      },
      {
        "category": "external",
        "summary": "1788305",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1788305"
      },
      {
        "category": "external",
        "summary": "1788310",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1788310"
      },
      {
        "category": "external",
        "summary": "1800364",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1800364"
      },
      {
        "category": "external",
        "summary": "1800366",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1800366"
      },
      {
        "category": "external",
        "summary": "1800367",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1800367"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_0579.json"
      }
    ],
    "title": "Red Hat Security Advisory: nodejs:10 security update",
    "tracking": {
      "current_release_date": "2026-02-25T17:33:48+00:00",
      "generator": {
        "date": "2026-02-25T17:33:48+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2020:0579",
      "initial_release_date": "2020-02-25T08:39:40+00:00",
      "revision_history": [
        {
          "date": "2020-02-25T08:39:40+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-02-25T08:39:40+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-25T17:33:48+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream (v. 8)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream (v. 8)",
                  "product_id": "AppStream-8.1.0.Z.MAIN.EUS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                "product": {
                  "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10)",
                  "product_id": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                "product": {
                  "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10)",
                  "product_id": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-debuginfo@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                "product": {
                  "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10)",
                  "product_id": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-debugsource@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                "product": {
                  "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10)",
                  "product_id": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-devel@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                "product": {
                  "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10)",
                  "product_id": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/npm@6.13.4-1.10.19.0.1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=aarch64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
                "product": {
                  "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src (nodejs:10)",
                  "product_id": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=src\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
                "product": {
                  "name": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src (nodejs:10)",
                  "product_id": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8%2B2632%2B6c5111ed?arch=src\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
                "product": {
                  "name": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src (nodejs:10)",
                  "product_id": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8%2B2873%2Baa7dfd9a?arch=src\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
                "product": {
                  "name": "nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch (nodejs:10)",
                  "product_id": "nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-docs@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=noarch\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
                "product": {
                  "name": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch (nodejs:10)",
                  "product_id": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8%2B2632%2B6c5111ed?arch=noarch\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
                "product": {
                  "name": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch (nodejs:10)",
                  "product_id": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8%2B2873%2Baa7dfd9a?arch=noarch\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                "product": {
                  "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10)",
                  "product_id": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                "product": {
                  "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10)",
                  "product_id": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-debuginfo@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                "product": {
                  "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10)",
                  "product_id": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-debugsource@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                "product": {
                  "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10)",
                  "product_id": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-devel@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                "product": {
                  "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10)",
                  "product_id": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/npm@6.13.4-1.10.19.0.1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=ppc64le\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                "product": {
                  "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10)",
                  "product_id": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                "product": {
                  "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10)",
                  "product_id": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-debuginfo@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                "product": {
                  "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10)",
                  "product_id": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-debugsource@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                "product": {
                  "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10)",
                  "product_id": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-devel@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                "product": {
                  "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10)",
                  "product_id": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/npm@6.13.4-1.10.19.0.1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=s390x\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                "product": {
                  "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10)",
                  "product_id": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                "product": {
                  "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10)",
                  "product_id": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-debuginfo@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                "product": {
                  "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10)",
                  "product_id": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-debugsource@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                "product": {
                  "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10)",
                  "product_id": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-devel@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                "product": {
                  "name": "nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10)",
                  "product_id": "nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs-devel-debuginfo@10.19.0-1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                "product": {
                  "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10)",
                  "product_id": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/npm@6.13.4-1.10.19.0.1.module%2Bel8.1.0%2B5726%2B6ed65f8c?arch=x86_64\u0026epoch=1\u0026rpmmod=nodejs:10:8010020200213140254:c27ad7f8"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10"
        },
        "product_reference": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10"
        },
        "product_reference": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10"
        },
        "product_reference": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10"
        },
        "product_reference": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        },
        "product_reference": "nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10"
        },
        "product_reference": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10"
        },
        "product_reference": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10"
        },
        "product_reference": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        },
        "product_reference": "nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10"
        },
        "product_reference": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10"
        },
        "product_reference": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10"
        },
        "product_reference": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        },
        "product_reference": "nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10"
        },
        "product_reference": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10"
        },
        "product_reference": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10"
        },
        "product_reference": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        },
        "product_reference": "nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        },
        "product_reference": "nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10"
        },
        "product_reference": "nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10"
        },
        "product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10"
        },
        "product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10"
        },
        "product_reference": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10"
        },
        "product_reference": "nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10"
        },
        "product_reference": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10"
        },
        "product_reference": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10"
        },
        "product_reference": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64 (nodejs:10) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
          "product_id": "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        },
        "product_reference": "npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
        "relates_to_product_reference": "AppStream-8.1.0.Z.MAIN.EUS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-15604",
      "cwe": {
        "id": "CWE-172",
        "name": "Encoding Error"
      },
      "discovery_date": "2020-02-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1800367"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-15604"
        },
        {
          "category": "external",
          "summary": "RHBZ#1800367",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1800367"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-15604",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-15604"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-15604",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15604"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
        }
      ],
      "release_date": "2020-02-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-02-25T08:39:40+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string"
    },
    {
      "cve": "CVE-2019-15605",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-02-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1800364"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs: HTTP request smuggling using malformed Transfer-Encoding header",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-15605"
        },
        {
          "category": "external",
          "summary": "RHBZ#1800364",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1800364"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-15605",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-15605"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-15605",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15605"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
        }
      ],
      "release_date": "2020-02-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-02-25T08:39:40+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nodejs: HTTP request smuggling using malformed Transfer-Encoding header"
    },
    {
      "cve": "CVE-2019-15606",
      "cwe": {
        "id": "CWE-138",
        "name": "Improper Neutralization of Special Elements"
      },
      "discovery_date": "2020-02-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1800366"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Node.js where the HTTP(s) header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTP(s) request which is validated by an upstream proxy server, but not by the Node.js HTTP(s) server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs: HTTP header values do not have trailing optional whitespace trimmed",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-15606"
        },
        {
          "category": "external",
          "summary": "RHBZ#1800366",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1800366"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-15606",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-15606"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-15606",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15606"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
        }
      ],
      "release_date": "2020-02-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-02-25T08:39:40+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "nodejs: HTTP header values do not have trailing optional whitespace trimmed"
    },
    {
      "cve": "CVE-2019-16775",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2019-12-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1788305"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "npm: Symlink reference outside of node_modules folder through the bin field upon installation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-16775"
        },
        {
          "category": "external",
          "summary": "RHBZ#1788305",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1788305"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16775",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-16775"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16775",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16775"
        }
      ],
      "release_date": "2019-12-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-02-25T08:39:40+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "npm: Symlink reference outside of node_modules folder through the bin field upon installation"
    },
    {
      "cve": "CVE-2019-16776",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2019-12-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1788310"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "npm: Arbitrary file write via constructed entry in the package.json bin field",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-16776"
        },
        {
          "category": "external",
          "summary": "RHBZ#1788310",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1788310"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16776",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-16776"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16776",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16776"
        }
      ],
      "release_date": "2019-12-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-02-25T08:39:40+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "npm: Arbitrary file write via constructed entry in the package.json bin field"
    },
    {
      "cve": "CVE-2019-16777",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2019-12-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1788301"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "npm: Global node_modules Binary Overwrite",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
          "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-16777"
        },
        {
          "category": "external",
          "summary": "RHBZ#1788301",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1788301"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16777",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-16777"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16777",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16777"
        }
      ],
      "release_date": "2019-12-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-02-25T08:39:40+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-debugsource-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-devel-debuginfo-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-docs-1:10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-nodemon-0:1.18.3-1.module+el8+2632+6c5111ed.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.noarch::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:nodejs-packaging-0:17-3.module+el8+2873+aa7dfd9a.src::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x::nodejs:10",
            "AppStream-8.1.0.Z.MAIN.EUS:npm-1:6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64::nodejs:10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "npm: Global node_modules Binary Overwrite"
    }
  ]
}

CVE-2019-16776 (GCVE-0-2019-16776)

Vulnerability from cvelistv5 – Published: 2019-12-13 00:55 – Updated: 2024-08-05 01:24

Title

Unauthorized File Access in npm CLI before before version 6.13.3

Summary

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://blog.npmjs.org/post/189618601100/binary-p…	x_refsource_MISC
	https://github.com/npm/cli/security/advisories/GH…	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpujan2020.html	x_refsource_MISC
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://access.redhat.com/errata/RHEA-2020:0330	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0573	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0579	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0597	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0602	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	npm	cli	Affected: < 6.13.3 , < 6.13.3 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:24:48.040Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "name": "openSUSE-SU-2020:0059",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
          },
          {
            "name": "FEDORA-2020-595ce5e3cc",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
          },
          {
            "name": "RHEA-2020:0330",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHEA-2020:0330"
          },
          {
            "name": "RHSA-2020:0573",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0573"
          },
          {
            "name": "RHSA-2020:0579",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0579"
          },
          {
            "name": "RHSA-2020:0597",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0597"
          },
          {
            "name": "RHSA-2020:0602",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0602"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cli",
          "vendor": "npm",
          "versions": [
            {
              "lessThan": "6.13.3",
              "status": "affected",
              "version": "\u003c 6.13.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-07T18:33:09.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "name": "openSUSE-SU-2020:0059",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
        },
        {
          "name": "FEDORA-2020-595ce5e3cc",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
        },
        {
          "name": "RHEA-2020:0330",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHEA-2020:0330"
        },
        {
          "name": "RHSA-2020:0573",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0573"
        },
        {
          "name": "RHSA-2020:0579",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        },
        {
          "name": "RHSA-2020:0597",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0597"
        },
        {
          "name": "RHSA-2020:0602",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0602"
        }
      ],
      "source": {
        "advisory": "GHSA-x8qc-rrcw-4r46",
        "discovery": "UNKNOWN"
      },
      "title": "Unauthorized File Access in npm CLI before before version 6.13.3",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2019-16776",
          "STATE": "PUBLIC",
          "TITLE": "Unauthorized File Access in npm CLI before before version 6.13.3"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "cli",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "\u003c 6.13.3",
                            "version_value": "6.13.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "npm"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli",
              "refsource": "MISC",
              "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
            },
            {
              "name": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46",
              "refsource": "CONFIRM",
              "url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
            },
            {
              "name": "openSUSE-SU-2020:0059",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
            },
            {
              "name": "FEDORA-2020-595ce5e3cc",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
            },
            {
              "name": "RHEA-2020:0330",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHEA-2020:0330"
            },
            {
              "name": "RHSA-2020:0573",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0573"
            },
            {
              "name": "RHSA-2020:0579",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0579"
            },
            {
              "name": "RHSA-2020:0597",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0597"
            },
            {
              "name": "RHSA-2020:0602",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0602"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-x8qc-rrcw-4r46",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2019-16776",
    "datePublished": "2019-12-13T00:55:16.000Z",
    "dateReserved": "2019-09-24T00:00:00.000Z",
    "dateUpdated": "2024-08-05T01:24:48.040Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-16775 (GCVE-0-2019-16775)

Vulnerability from cvelistv5 – Published: 2019-12-13 00:55 – Updated: 2024-08-05 01:24

Title

Unauthorized File Access in npm CLI before before version 6.13.3

Summary

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following

Assigner

GitHub_M

References

URL

Tags

	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://access.redhat.com/errata/RHEA-2020:0330	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0573	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0579	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0597	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0602	vendor-advisoryx_refsource_REDHAT
	https://www.oracle.com/security-alerts/cpujan2020.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
	https://github.com/npm/cli/security/advisories/GH…	x_refsource_CONFIRM
	https://blog.npmjs.org/post/189618601100/binary-p…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	npm	cli	Affected: < 6.13.3 , < 6.13.3 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:24:48.326Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2020:0059",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
          },
          {
            "name": "FEDORA-2020-595ce5e3cc",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
          },
          {
            "name": "RHEA-2020:0330",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHEA-2020:0330"
          },
          {
            "name": "RHSA-2020:0573",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0573"
          },
          {
            "name": "RHSA-2020:0579",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0579"
          },
          {
            "name": "RHSA-2020:0597",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0597"
          },
          {
            "name": "RHSA-2020:0602",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0602"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cli",
          "vendor": "npm",
          "versions": [
            {
              "lessThan": "6.13.3",
              "status": "affected",
              "version": "\u003c 6.13.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-20T10:38:25.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "openSUSE-SU-2020:0059",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
        },
        {
          "name": "FEDORA-2020-595ce5e3cc",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
        },
        {
          "name": "RHEA-2020:0330",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHEA-2020:0330"
        },
        {
          "name": "RHSA-2020:0573",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0573"
        },
        {
          "name": "RHSA-2020:0579",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        },
        {
          "name": "RHSA-2020:0597",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0597"
        },
        {
          "name": "RHSA-2020:0602",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0602"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
        }
      ],
      "source": {
        "advisory": "GHSA-m6cx-g6qm-p2cx",
        "discovery": "UNKNOWN"
      },
      "title": "Unauthorized File Access in npm CLI before before version 6.13.3",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2019-16775",
          "STATE": "PUBLIC",
          "TITLE": "Unauthorized File Access in npm CLI before before version 6.13.3"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "cli",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "\u003c 6.13.3",
                            "version_value": "6.13.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "npm"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-61: UNIX Symbolic Link (Symlink) Following"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2020:0059",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
            },
            {
              "name": "FEDORA-2020-595ce5e3cc",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
            },
            {
              "name": "RHEA-2020:0330",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHEA-2020:0330"
            },
            {
              "name": "RHSA-2020:0573",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0573"
            },
            {
              "name": "RHSA-2020:0579",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0579"
            },
            {
              "name": "RHSA-2020:0597",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0597"
            },
            {
              "name": "RHSA-2020:0602",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0602"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx",
              "refsource": "CONFIRM",
              "url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
            },
            {
              "name": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli",
              "refsource": "MISC",
              "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-m6cx-g6qm-p2cx",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2019-16775",
    "datePublished": "2019-12-13T00:55:15.000Z",
    "dateReserved": "2019-09-24T00:00:00.000Z",
    "dateUpdated": "2024-08-05T01:24:48.326Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-16777 (GCVE-0-2019-16777)

Vulnerability from cvelistv5 – Published: 2019-12-13 01:00 – Updated: 2024-08-05 01:24

Title

Arbitrary File Overwrite in npm CLI

Summary

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://blog.npmjs.org/post/189618601100/binary-p…	x_refsource_MISC
	https://github.com/npm/cli/security/advisories/GH…	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpujan2020.html	x_refsource_MISC
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://access.redhat.com/errata/RHEA-2020:0330	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0573	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0579	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0597	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0602	vendor-advisoryx_refsource_REDHAT
	https://security.gentoo.org/glsa/202003-48	vendor-advisoryx_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	npm	cli	Affected: < 6.13.4 , < 6.13.4 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:24:47.252Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "name": "openSUSE-SU-2020:0059",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
          },
          {
            "name": "FEDORA-2020-595ce5e3cc",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
          },
          {
            "name": "RHEA-2020:0330",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHEA-2020:0330"
          },
          {
            "name": "RHSA-2020:0573",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0573"
          },
          {
            "name": "RHSA-2020:0579",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0579"
          },
          {
            "name": "RHSA-2020:0597",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0597"
          },
          {
            "name": "RHSA-2020:0602",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0602"
          },
          {
            "name": "GLSA-202003-48",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202003-48"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cli",
          "vendor": "npm",
          "versions": [
            {
              "lessThan": "6.13.4",
              "status": "affected",
              "version": "\u003c 6.13.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-20T20:06:15.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "name": "openSUSE-SU-2020:0059",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
        },
        {
          "name": "FEDORA-2020-595ce5e3cc",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
        },
        {
          "name": "RHEA-2020:0330",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHEA-2020:0330"
        },
        {
          "name": "RHSA-2020:0573",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0573"
        },
        {
          "name": "RHSA-2020:0579",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        },
        {
          "name": "RHSA-2020:0597",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0597"
        },
        {
          "name": "RHSA-2020:0602",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0602"
        },
        {
          "name": "GLSA-202003-48",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202003-48"
        }
      ],
      "source": {
        "advisory": "GHSA-4328-8hgf-7wjr",
        "discovery": "UNKNOWN"
      },
      "title": "Arbitrary File Overwrite in npm CLI",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2019-16777",
          "STATE": "PUBLIC",
          "TITLE": "Arbitrary File Overwrite in npm CLI"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "cli",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "\u003c 6.13.4",
                            "version_value": "6.13.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "npm"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli",
              "refsource": "MISC",
              "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
            },
            {
              "name": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr",
              "refsource": "CONFIRM",
              "url": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
            },
            {
              "name": "openSUSE-SU-2020:0059",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
            },
            {
              "name": "FEDORA-2020-595ce5e3cc",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
            },
            {
              "name": "RHEA-2020:0330",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHEA-2020:0330"
            },
            {
              "name": "RHSA-2020:0573",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0573"
            },
            {
              "name": "RHSA-2020:0579",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0579"
            },
            {
              "name": "RHSA-2020:0597",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0597"
            },
            {
              "name": "RHSA-2020:0602",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0602"
            },
            {
              "name": "GLSA-202003-48",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202003-48"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-4328-8hgf-7wjr",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2019-16777",
    "datePublished": "2019-12-13T01:00:21.000Z",
    "dateReserved": "2019-09-24T00:00:00.000Z",
    "dateUpdated": "2024-08-05T01:24:47.252Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-15606 (GCVE-0-2019-15606)

Vulnerability from cvelistv5 – Published: 2020-02-07 14:58 – Updated: 2025-04-30 22:24

Summary

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

Severity ?

No CVSS data available.

CWE

CWE-20 - Improper Input Validation (CWE-20)

Assigner

hackerone

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2020:0573	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0579	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0597	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0598	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0602	vendor-advisoryx_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://security.gentoo.org/glsa/202003-48	vendor-advisoryx_refsource_GENTOO
	https://www.debian.org/security/2020/dsa-4669	vendor-advisoryx_refsource_DEBIAN
	https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://nodejs.org/en/blog/release/v13.8.0/	x_refsource_CONFIRM
	https://nodejs.org/en/blog/vulnerability/february…	x_refsource_CONFIRM
	https://nodejs.org/en/blog/release/v10.19.0/	x_refsource_CONFIRM
	https://nodejs.org/en/blog/release/v12.15.0/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-2020022…	x_refsource_CONFIRM
	https://hackerone.com/reports/730779	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	NodeJS	Node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.19.0 (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.15.0 (semver) Affected: 13.0 , < 13.8.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:49:13.841Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2020:0573",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0573"
          },
          {
            "name": "RHSA-2020:0579",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0579"
          },
          {
            "name": "RHSA-2020:0597",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0597"
          },
          {
            "name": "RHSA-2020:0598",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0598"
          },
          {
            "name": "RHSA-2020:0602",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0602"
          },
          {
            "name": "openSUSE-SU-2020:0293",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
          },
          {
            "name": "GLSA-202003-48",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202003-48"
          },
          {
            "name": "DSA-4669",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4669"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/release/v13.8.0/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/release/v10.19.0/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/release/v12.15.0/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/730779"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.19.0",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.15.0",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.8.0",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "Improper Input Validation (CWE-20)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T22:24:24.274Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "name": "RHSA-2020:0573",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0573"
        },
        {
          "name": "RHSA-2020:0579",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        },
        {
          "name": "RHSA-2020:0597",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0597"
        },
        {
          "name": "RHSA-2020:0598",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0598"
        },
        {
          "name": "RHSA-2020:0602",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0602"
        },
        {
          "name": "openSUSE-SU-2020:0293",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
        },
        {
          "name": "GLSA-202003-48",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202003-48"
        },
        {
          "name": "DSA-4669",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4669"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/release/v13.8.0/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/release/v10.19.0/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/release/v12.15.0/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/730779"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2019-15606",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/nodejs/node",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.19.0, 12.15.0, 13.8.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Input Validation (CWE-20)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2020:0573",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0573"
            },
            {
              "name": "RHSA-2020:0579",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0579"
            },
            {
              "name": "RHSA-2020:0597",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0597"
            },
            {
              "name": "RHSA-2020:0598",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0598"
            },
            {
              "name": "RHSA-2020:0602",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0602"
            },
            {
              "name": "openSUSE-SU-2020:0293",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
            },
            {
              "name": "GLSA-202003-48",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202003-48"
            },
            {
              "name": "DSA-4669",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4669"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://nodejs.org/en/blog/release/v13.8.0/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/release/v13.8.0/"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
            },
            {
              "name": "https://nodejs.org/en/blog/release/v10.19.0/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/release/v10.19.0/"
            },
            {
              "name": "https://nodejs.org/en/blog/release/v12.15.0/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/release/v12.15.0/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200221-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
            },
            {
              "name": "https://hackerone.com/reports/730779",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/730779"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-15606",
    "datePublished": "2020-02-07T14:58:08.000Z",
    "dateReserved": "2019-08-26T00:00:00.000Z",
    "dateUpdated": "2025-04-30T22:24:24.274Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-15604 (GCVE-0-2019-15604)

Vulnerability from cvelistv5 – Published: 2020-02-07 14:57 – Updated: 2025-04-30 22:24

Summary

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

Severity ?

No CVSS data available.

CWE

CWE-295 - Improper Certificate Validation (CWE-295)

Assigner

hackerone

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2020:0573	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0579	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0597	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0598	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0602	vendor-advisoryx_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://security.gentoo.org/glsa/202003-48	vendor-advisoryx_refsource_GENTOO
	https://www.debian.org/security/2020/dsa-4669	vendor-advisoryx_refsource_DEBIAN
	https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://hackerone.com/reports/746733	x_refsource_MISC
	https://nodejs.org/en/blog/release/v13.8.0/	x_refsource_CONFIRM
	https://nodejs.org/en/blog/vulnerability/february…	x_refsource_CONFIRM
	https://nodejs.org/en/blog/release/v10.19.0/	x_refsource_CONFIRM
	https://nodejs.org/en/blog/release/v12.15.0/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-2020022…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	NodeJS	Node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.19.0 (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.15.0 (semver) Affected: 13.0 , < 13.8.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:49:13.675Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2020:0573",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0573"
          },
          {
            "name": "RHSA-2020:0579",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0579"
          },
          {
            "name": "RHSA-2020:0597",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0597"
          },
          {
            "name": "RHSA-2020:0598",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0598"
          },
          {
            "name": "RHSA-2020:0602",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0602"
          },
          {
            "name": "openSUSE-SU-2020:0293",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
          },
          {
            "name": "GLSA-202003-48",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202003-48"
          },
          {
            "name": "DSA-4669",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4669"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/746733"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/release/v13.8.0/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/release/v10.19.0/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/release/v12.15.0/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.19.0",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.15.0",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.8.0",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "Improper Certificate Validation (CWE-295)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T22:24:22.492Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "name": "RHSA-2020:0573",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0573"
        },
        {
          "name": "RHSA-2020:0579",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        },
        {
          "name": "RHSA-2020:0597",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0597"
        },
        {
          "name": "RHSA-2020:0598",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0598"
        },
        {
          "name": "RHSA-2020:0602",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0602"
        },
        {
          "name": "openSUSE-SU-2020:0293",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
        },
        {
          "name": "GLSA-202003-48",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202003-48"
        },
        {
          "name": "DSA-4669",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4669"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/746733"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/release/v13.8.0/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/release/v10.19.0/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/release/v12.15.0/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2019-15604",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/nodejs/node",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.19.0, 12.15.0, 13.8.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Certificate Validation (CWE-295)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2020:0573",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0573"
            },
            {
              "name": "RHSA-2020:0579",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0579"
            },
            {
              "name": "RHSA-2020:0597",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0597"
            },
            {
              "name": "RHSA-2020:0598",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0598"
            },
            {
              "name": "RHSA-2020:0602",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0602"
            },
            {
              "name": "openSUSE-SU-2020:0293",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
            },
            {
              "name": "GLSA-202003-48",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202003-48"
            },
            {
              "name": "DSA-4669",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4669"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://hackerone.com/reports/746733",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/746733"
            },
            {
              "name": "https://nodejs.org/en/blog/release/v13.8.0/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/release/v13.8.0/"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
            },
            {
              "name": "https://nodejs.org/en/blog/release/v10.19.0/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/release/v10.19.0/"
            },
            {
              "name": "https://nodejs.org/en/blog/release/v12.15.0/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/release/v12.15.0/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200221-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-15604",
    "datePublished": "2020-02-07T14:57:07.000Z",
    "dateReserved": "2019-08-26T00:00:00.000Z",
    "dateUpdated": "2025-04-30T22:24:22.492Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-15605 (GCVE-0-2019-15605)

Vulnerability from cvelistv5 – Published: 2020-02-07 14:55 – Updated: 2025-04-30 22:24

Summary

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Severity ?

No CVSS data available.

CWE

CWE-444 - HTTP Request Smuggling (CWE-444)

Assigner

hackerone

References

URL

Tags

	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://access.redhat.com/errata/RHSA-2020:0573	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0579	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0597	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0598	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0602	vendor-advisoryx_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2020:0703	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0707	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0708	vendor-advisoryx_refsource_REDHAT
	https://security.gentoo.org/glsa/202003-48	vendor-advisoryx_refsource_GENTOO
	https://www.debian.org/security/2020/dsa-4669	vendor-advisoryx_refsource_DEBIAN
	https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://nodejs.org/en/blog/release/v13.8.0/	x_refsource_CONFIRM
	https://nodejs.org/en/blog/vulnerability/february…	x_refsource_CONFIRM
	https://nodejs.org/en/blog/release/v10.19.0/	x_refsource_CONFIRM
	https://nodejs.org/en/blog/release/v12.15.0/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-2020022…	x_refsource_CONFIRM
	https://hackerone.com/reports/735748	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	NodeJS	Node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.19.0 (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.15.0 (semver) Affected: 13.0 , < 13.8.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:49:13.764Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2020-3838c8ea98",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/"
          },
          {
            "name": "FEDORA-2020-47efc31973",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/"
          },
          {
            "name": "RHSA-2020:0573",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0573"
          },
          {
            "name": "RHSA-2020:0579",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0579"
          },
          {
            "name": "RHSA-2020:0597",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0597"
          },
          {
            "name": "RHSA-2020:0598",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0598"
          },
          {
            "name": "RHSA-2020:0602",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0602"
          },
          {
            "name": "openSUSE-SU-2020:0293",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
          },
          {
            "name": "RHSA-2020:0703",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0703"
          },
          {
            "name": "RHSA-2020:0707",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0707"
          },
          {
            "name": "RHSA-2020:0708",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0708"
          },
          {
            "name": "GLSA-202003-48",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202003-48"
          },
          {
            "name": "DSA-4669",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4669"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/release/v13.8.0/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/release/v10.19.0/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/release/v12.15.0/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/735748"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.19.0",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.15.0",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.8.0",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "HTTP Request Smuggling (CWE-444)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T22:24:23.404Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "name": "FEDORA-2020-3838c8ea98",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/"
        },
        {
          "name": "FEDORA-2020-47efc31973",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/"
        },
        {
          "name": "RHSA-2020:0573",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0573"
        },
        {
          "name": "RHSA-2020:0579",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0579"
        },
        {
          "name": "RHSA-2020:0597",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0597"
        },
        {
          "name": "RHSA-2020:0598",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0598"
        },
        {
          "name": "RHSA-2020:0602",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0602"
        },
        {
          "name": "openSUSE-SU-2020:0293",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
        },
        {
          "name": "RHSA-2020:0703",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0703"
        },
        {
          "name": "RHSA-2020:0707",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0707"
        },
        {
          "name": "RHSA-2020:0708",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0708"
        },
        {
          "name": "GLSA-202003-48",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202003-48"
        },
        {
          "name": "DSA-4669",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4669"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/release/v13.8.0/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/release/v10.19.0/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/release/v12.15.0/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/735748"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2019-15605",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/nodejs/node",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.19.0, 12.15.0, 13.8.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "HTTP Request Smuggling (CWE-444)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2020-3838c8ea98",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/"
            },
            {
              "name": "FEDORA-2020-47efc31973",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/"
            },
            {
              "name": "RHSA-2020:0573",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0573"
            },
            {
              "name": "RHSA-2020:0579",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0579"
            },
            {
              "name": "RHSA-2020:0597",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0597"
            },
            {
              "name": "RHSA-2020:0598",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0598"
            },
            {
              "name": "RHSA-2020:0602",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0602"
            },
            {
              "name": "openSUSE-SU-2020:0293",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html"
            },
            {
              "name": "RHSA-2020:0703",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0703"
            },
            {
              "name": "RHSA-2020:0707",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0707"
            },
            {
              "name": "RHSA-2020:0708",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0708"
            },
            {
              "name": "GLSA-202003-48",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202003-48"
            },
            {
              "name": "DSA-4669",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4669"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://nodejs.org/en/blog/release/v13.8.0/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/release/v13.8.0/"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/"
            },
            {
              "name": "https://nodejs.org/en/blog/release/v10.19.0/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/release/v10.19.0/"
            },
            {
              "name": "https://nodejs.org/en/blog/release/v12.15.0/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/release/v12.15.0/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200221-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200221-0004/"
            },
            {
              "name": "https://hackerone.com/reports/735748",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/735748"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-15605",
    "datePublished": "2020-02-07T14:55:22.000Z",
    "dateReserved": "2019-08-26T00:00:00.000Z",
    "dateUpdated": "2025-04-30T22:24:23.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2020:0579

CVE-2019-16776 (GCVE-0-2019-16776)

CVE-2019-16775 (GCVE-0-2019-16775)

CVE-2019-16777 (GCVE-0-2019-16777)

CVE-2019-15606 (GCVE-0-2019-15606)

CVE-2019-15604 (GCVE-0-2019-15604)

CVE-2019-15605 (GCVE-0-2019-15605)

Tags

Sightings

Nomenclature