follow-redirects' Proxy-Authorization header kept across hosts

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too. Steps To Reproduce & PoC Test code: js const axios = require'axios'; axios.get'http://127.0.0.1:10081/',...

GHSA-CXJH-PQWP-8MFP follow-redirects' Proxy-Authorization header kept across hosts

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too. Steps To Reproduce & PoC Test code: js const axios = require'axios'; axios.get'http://127.0.0.1:10081/',...

CVE-2024-28849 Proxy-Authorization header kept across hosts in follow-redirects

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials...

CVE-2024-28849 Proxy-Authorization header kept across hosts in follow-redirects

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials...

Node.js: Proxy-Authorization header not cleared on cross-origin redirect in undici.request

The Proxy-Authorization and x-auth-token headers were not cleared on cross-origin redirects in versions of undici up to and including 6.7.0. This issue was similar to a previously fixed security vulnerability where Authorization and Cookie headers were not cleared on such redirects...

CentOS 9 : python-requests-2.25.1-7.el9

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the python- requests-2.25.1-7.el9 build changelog. - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when...

Internet Bug Bounty: Proxy-Authorization header is not cleared in cross-domain redirect in undici

Proxy-Authorization header not cleared on cross-origin redirect in Undici. Impacted versions = v6.0.0 = v6.6.0. Patched in v5.28.3 and v6.6.1. No known workarounds...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to Python-requests Proxy-Authorization header leak ( CVE-2023-32681)

Summary Python-requests is used by IBM Cloud Pak for Data Scheduling as part of the Ansible operator for Scheduler installation. This vulnerability is addressed Vulnerability Details CVEID:CVE-2023-32681 DESCRIPTION: python-requests could allow a remote attacker to obtain sensitive information,...

CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known...

GHSA-3787-6PRV-H9W3 Undici proxy-authorization header not cleared on cross-origin redirect in fetch

Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers. Patches This is patched in v5.28.3 and v6.6.1 Workarounds There are no known workarounds. References - https://fetch.spec.whatwg.org/authentication-entries -...

Undici proxy-authorization header not cleared on cross-origin redirect in fetch

Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers. Patches This is patched in v5.28.3 and v6.6.1 Workarounds There are no known workarounds. References - https://fetch.spec.whatwg.org/authentication-entries -...

undici Information Disclosure Vulnerability

undici is an HTTP/1.1 client. An information disclosure vulnerability exists in undici v5.28.2 and earlier, and versions 6.0.0 through 6.6.0, which stems from an information disclosure vulnerability due to failure to clear the Proxy-Authorization header...

CentOS 8 : python-requests (CESA-2023:4520)

The remote CentOS Linux 8 host has a package installed that is affected by a vulnerability as referenced in the CESA-2023:4520 advisory. - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS...

EulerOS 2.0 SP8 : python-requests (EulerOS-SA-2023-3152)

According to the versions of the python-requests packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when...

EulerOS 2.0 SP10 : python-pip (EulerOS-SA-2023-2821)

According to the versions of the python-pip packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirect...

EulerOS Virtualization 3.0.6.6 : python-requests (EulerOS-SA-2023-3413)

According to the versions of the python-requests package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination...

EulerOS 2.0 SP11 : python-requests (EulerOS-SA-2023-2707)

According to the versions of the python-requests package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when...

EulerOS Virtualization 3.0.6.0 : python-pip (EulerOS-SA-2023-3450)

According to the versions of the python-pip packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination server...

EulerOS Virtualization 2.11.0 : python-requests (EulerOS-SA-2023-2772)

According to the versions of the python-requests package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination...

EulerOS Virtualization 2.11.1 : python-requests (EulerOS-SA-2023-2741)

According to the versions of the python-requests package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination...