CVE-2019-15605: Node.js is vulnerable to request smuggling
Severity
Critical
Vendor
Pivotal
Description
Node.js Offline Buildpack, all versions prior to 1.7.13; App Metrics, all versions prior to 2.0.0; and VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.17, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, default to a version of Node.js that is vulnerable to HTTP request smuggling, which allows malicious payload delivery to unsuspecting users.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
-
Node.js Offline Buildpack
- All versions prior to 1.7.13
-
App Metrics (formerly Pivotal Cloud Foundry Metrics)
- All versions prior to 2.0.0
-
VMware Tanzu Application Service for VMs (formerly Pivotal Application Service)
- 2.6.x versions prior to 2.6.17
- 2.7.x versions prior to 2.7.11
- 2.8.x versions prior to 2.8.5
Mitigation
Users of affected versions should apply the following mitigation or upgrade:
-
Node.js Offline Buildpack
- 1.7.13
-
App Metrics
- 2.0.0
-
VMware Tanzu Application Service for VMs
- 2.6.17
- 2.7.11
- 2.8.5
- 2.9.0
References
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://www.cloudfoundry.org/blog/cve-2019-15605/
History
2020-05-26: Initial vulnerability report published.