534 matches found
urllib3 Security Vulnerabilities
urllib3 is a Python HTTP library. It features thread-safe connection pooling, file publishing support, and more. A security vulnerability exists in urllib3 that stems from not stripping the proxy authorization request header during cross-domain redirects...
SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2024:1836-1)
The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1836-1 advisory. - CVE-2024-30260: undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline...
SUSE-SU-2024:1837-1 Security update for nodejs16
This update for nodejs16 fixes the following issues: - CVE-2024-30260: undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline bsc1222530 - CVE-2024-30261: undici: Ensure that integrity cannot be tampered with bsc1222603...
RHEL 6 : python-requests (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - python-requests: Redirect from HTTPS to HTTP does not remove Authorization header CVE-2018-18074 - Reques...
NewStart CGSL CORE 5.04 / MAIN 5.04 : python-requests Multiple Vulnerabilities (NS-SA-2024-0014)
The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python-requests packages installed that are affected by multiple vulnerabilities: - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-htt...
SUSE-SU-2024:1309-1 Security update for nodejs18
This update for nodejs18 fixes the following issues: Update to 18.20.1 Security fixes: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscatio...
SUSE-SU-2024:1307-1 Security update for nodejs18
This update for nodejs18 fixes the following issues: Update to 18.20.1 Security fixes: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscatio...
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch request stream pipeline
...
Internet Bug Bounty: Proxy-Authorization header not cleared on cross-origin redirect in undici.request
The Proxy-Authorization header was not cleared on cross-origin redirects in the Undici HTTP client library. This issue was reported and patched in later versions of Undici...
CVE-2024-30260
A flaw was found in the nodejs-undici package. Proxy-Authorization headers are not cleared on cross-origin redirects, which can allow for the exposure of sensitive data or allow an attacker to capture the persistent proxy-authentication header. Mitigation Mitigation for this issue is either not...
DEBIAN-CVE-2024-30260
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...
AZL-39734 CVE-2024-30260 affecting package nodejs for versions less than 20.14.0-1
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...
CVE-2024-30260
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...
CVE-2024-30260 Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...
CVE-2024-30260
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...
GHSA-M4V8-WQVR-P9F7 Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Impact Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. Workarounds...
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Impact Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. Workarounds...
Undici 安全漏洞
undici is an HTTP/1.1 client. A security vulnerability exists in Undici that stems from not clearing the Proxy-Authorization header when performing cross-domain redirects for dispatch, request, stream, pipeline, etc. Affected products and versions: Undici versions prior to 5.28.3, 6.0.0 through...
PT-2024-2954 · Node.Js +3 · Undici +3
Name of the Vulnerable Software and Affected Versions: Undici versions prior to 5.28.4 Undici versions prior to 6.11.1 Description: The issue is related to the Undici HTTP/1.1 client for Node.js, which has a flaw in its authorization procedure. Specifically, Undici clears Authorization and...
Proxy-Authorization header kept across hosts in follow-redirects
...