5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
39.2%
Using followRedirects
or followRedirectsWith
with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing.
The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin.
Use a custom redirection strategy via the followRedirectsWith
function. The custom strategy can be based on the new strategies available in [email protected].
follow-redirects
package. There is more information there: https://github.com/advisories/GHSA-74fj-2j2h-c42q and https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db/CPE | Name | Operator | Version |
---|---|---|---|
request-util | ge | 0 | |
fluture-node | lt | 4.0.2 |
github.com/advisories/GHSA-32x6-qvw6-mxj4
github.com/fluture-js/fluture-node/commit/0c99bc511533d48be17dc6bfe641f7d0aeb34d77
github.com/fluture-js/fluture-node/commit/125e4474f910c1507f8ec3232848626fbc0f55c4
github.com/fluture-js/fluture-node/security/advisories/GHSA-32x6-qvw6-mxj4
github.com/psf/requests/pull/4718
github.com/pypa/advisory-database/tree/main/vulns/request-util/PYSEC-2022-43052.yaml
nvd.nist.gov/vuln/detail/CVE-2022-24719
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
39.2%