Lucene search
K

246 matches found

RedHat Linux
RedHat Linux
added 2022/11/17 1:40 p.m.3 views

node-fetch: exposure of sensitive information to an unauthorized actor

A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized...

8.8CVSS7.2AI score0.01646EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2022/10/06 12:26 p.m.3 views

node-fetch: exposure of sensitive information to an unauthorized actor

A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized...

8.8CVSS7.2AI score0.01646EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2022/10/05 10:44 a.m.2 views

node-fetch: exposure of sensitive information to an unauthorized actor

A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized...

8.8CVSS7.2AI score0.01646EPSS
Exploits1References5
UbuntuCve
UbuntuCve
added 2022/07/21 4:15 a.m.34 views

CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...

6.5CVSS6.7AI score0.00584EPSS
Exploits1References4
CVE
CVE
added 2022/07/20 11:0 p.m.218 views

CVE-2022-31151

CVE-2022-31151 affects the Node.js undici HTTP client. The issue is that during cross-origin redirects, authorization headers are cleared but cookie headers are not, potentially leaking cookies to a third party if an attacker controls the redirect target. The problem was patched in undici v5.7.1,...

6.5CVSS5.1AI score0.00584EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/17 5:5 a.m.22 views

Rack-Cache caches sensitive headers

The Rack::Cache rubygem 0.3.0 through 1.1 caches Set-Cookie and other sensitive headers, which allows attackers to obtain sensitive cookie information, hijack web sessions, or have other unspecified impact by accessing the cache...

7.5CVSS6AI score0.02359EPSS
Exploits0References11Affected Software1
OSV
OSV
added 2022/05/17 5:5 a.m.18 views

GHSA-HRP6-W4V2-8737 Rack-Cache caches sensitive headers

The Rack::Cache rubygem 0.3.0 through 1.1 caches Set-Cookie and other sensitive headers, which allows attackers to obtain sensitive cookie information, hijack web sessions, or have other unspecified impact by accessing the cache...

7.5CVSS6AI score0.02359EPSS
Exploits0References10
CNNVD
CNNVD
added 2022/03/09 12:0 a.m.4 views

Shopware 信息泄露漏洞

Shopware is a suite of open source e-commerce software from the German company Shopware.Shopware suffers from an information disclosure vulnerability that stems from not properly setting sensitive HTTP headers to be uncacheable. An attacker could exploit the vulnerability to cause the header to...

6.3CVSS5.7AI score0.01055EPSS
Exploits0References4
OSV
OSV
added 2021/12/07 7:57 a.m.6 views

SUSE-SU-2021:3964-1 Security update for nodejs14

This update for nodejs14 fixes the following issues: nodejs14 was updated to 14.18.1: deps: update llhttp to 2.1.4 - HTTP Request Smuggling due to spaced in headers bsc1191601, CVE-2021-22959 - HTTP Request Smuggling when parsing the body bsc1191602, CVE-2021-22960 Changes in 14.18.0: buffer: +...

8.6CVSS7.4AI score0.03286EPSS
Exploits2References15
Github Security Blog
Github Security Blog
added 2021/05/10 3:18 p.m.67 views

Incorrect Authorization in Spring Cloud Netflix Zuul

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall...

5.3CVSS2.4AI score0.00819EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2021/05/10 3:18 p.m.37 views

GHSA-VWPG-F6GW-RJVF Incorrect Authorization in Spring Cloud Netflix Zuul

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall...

5.3CVSS5.2AI score0.00819EPSS
Exploits0References3
OSV
OSV
added 2021/02/23 5:15 p.m.5 views

CVE-2021-22113

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall...

5.3CVSS6AI score0.00819EPSS
Exploits0References1
NVD
NVD
added 2021/02/23 5:15 p.m.54 views

CVE-2021-22113

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall...

5.3CVSS0.00819EPSS
Exploits0References1
Prion
Prion
added 2021/02/23 5:15 p.m.20 views

Design/Logic Flaw

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall...

4.3CVSS5.2AI score0.00819EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2021/02/23 4:4 p.m.74 views

CVE-2021-22113

The CVE-2021-22113 entry concerns Spring Cloud Netflix Zuul 2.2.6.RELEASE and earlier, where the Sensitive Headers functionality can be bypassed by specially constructed URLs. The Red Hat and GN documents corroborate that Zuul’s handling of sensitive headers is vulnerable, potentially allowing an...

5.3CVSS5.2AI score0.00819EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2021/02/23 12:0 a.m.7 views

Vmware Spring Cloud Security Vulnerability

Vmware Spring Cloud Config is a set of configuration management solutions for distributed systems from Vmware. The product focuses on providing server and client support for external configuration in distributed systems. Spring Cloud Netflix Zuul 2.2.6.RELEASE A security vulnerability exists in t...

5.3CVSS6.4AI score0.00819EPSS
Exploits0References2
Veracode
Veracode
added 2021/02/15 6:52 a.m.32 views

Authorization Bypass

spring-cloud-netflix-zuul is vulnerable to authorization bypass. An attacker is able to send a request containing a malicious URL to bypass the “Sensitive Headers” restrictions. Applications using Spring Security's StrictHttpFirewall enabled by default for all URLs are not affected by this...

5.3CVSS2.4AI score0.00819EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2021/02/10 7:15 p.m.5 views

CVE-2021-22133

The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it...

2.4CVSS5.8AI score0.00521EPSS
Exploits0References1
Cvelist
Cvelist
added 2018/09/19 7:0 p.m.29 views

CVE-2018-3828

Elastic Cloud Enterprise ECE versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to t...

7.4AI score0.00513EPSS
Exploits0References2
CVE
CVE
added 2018/09/19 7:0 p.m.57 views

CVE-2018-3828

Elastic Cloud Enterprise (ECE) prior to version 1.1.4 contains an information exposure vulnerability where certain exception conditions can leak encryption keys, passwords, and other sensitive headers to allocator logs. An attacker with access to the logging cluster could obtain leaked credential...

7.5CVSS7.3AI score0.00513EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder