Critical Node.js Info Disclosure, Code Execution Bugs Fixed
Several significant security issues were fixed in Node.js, including two critical vulnerabilities that have received a National Vulnerability Database base score of 9.8 out of 10. CVE-2019-15605 is an HTTP request smuggling bug in Node.js 10, 12, and 13 that causes malicious payload delivery when transfer-encoding is malformed, and CVE-2019-15606 is an authorization bypass issue in Nodejs 10, 12, and 13.
A remote attacker could possibly use these issues to obtain sensitive information or execute arbitrary code.
Essential Node.js security updates have been released to fix these severe flaws. We urge all impacted users to apply the updates released by Ubuntu immediately to protect their critical systems and sensitive data against attacks leading to compromise.
To stay on top of essential updates released by the open-source programs and applications you use, register as a LinuxSecurity user, subscribe to our Linux Advisory Watch newsletter, and customize your advisories for your distro(s). This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems.
Follow @LS_Advisories on Twitter for real-time updates on advisories for your distro(s).