GHSA-M4V8-WQVR-P9F7 Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Impact Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. Workarounds...

Undici 安全漏洞

undici is an HTTP/1.1 client. A security vulnerability exists in Undici that stems from not clearing the Proxy-Authorization header when performing cross-domain redirects for dispatch, request, stream, pipeline, etc. Affected products and versions: Undici versions prior to 5.28.3, 6.0.0 through...

PT-2024-2954 · Node.Js +3 · Undici +3

Name of the Vulnerable Software and Affected Versions: Undici versions prior to 5.28.4 Undici versions prior to 6.11.1 Description: The issue is related to the Undici HTTP/1.1 client for Node.js, which has a flaw in its authorization procedure. Specifically, Undici clears Authorization and...

Proxy-Authorization header kept across hosts in follow-redirects

...

follow-redirects' Proxy-Authorization header kept across hosts

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too. Steps To Reproduce & PoC Test code: js const axios = require'axios'; axios.get'http://127.0.0.1:10081/',...

GHSA-CXJH-PQWP-8MFP follow-redirects' Proxy-Authorization header kept across hosts

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too. Steps To Reproduce & PoC Test code: js const axios = require'axios'; axios.get'http://127.0.0.1:10081/',...

CVE-2024-28849 Proxy-Authorization header kept across hosts in follow-redirects

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials...

CVE-2024-28849 Proxy-Authorization header kept across hosts in follow-redirects

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials...

Node.js: Proxy-Authorization header not cleared on cross-origin redirect in undici.request

The Proxy-Authorization and x-auth-token headers were not cleared on cross-origin redirects in versions of undici up to and including 6.7.0. This issue was similar to a previously fixed security vulnerability where Authorization and Cookie headers were not cleared on such redirects...

CentOS 9 : python-requests-2.25.1-7.el9

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the python- requests-2.25.1-7.el9 build changelog. - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when...

Internet Bug Bounty: Proxy-Authorization header is not cleared in cross-domain redirect in undici

Proxy-Authorization header not cleared on cross-origin redirect in Undici. Impacted versions = v6.0.0 = v6.6.0. Patched in v5.28.3 and v6.6.1. No known workarounds...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to Python-requests Proxy-Authorization header leak ( CVE-2023-32681)

Summary Python-requests is used by IBM Cloud Pak for Data Scheduling as part of the Ansible operator for Scheduler installation. This vulnerability is addressed Vulnerability Details CVEID:CVE-2023-32681 DESCRIPTION: python-requests could allow a remote attacker to obtain sensitive information,...

CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known...

Undici proxy-authorization header not cleared on cross-origin redirect in fetch

Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers. Patches This is patched in v5.28.3 and v6.6.1 Workarounds There are no known workarounds. References - https://fetch.spec.whatwg.org/authentication-entries -...

GHSA-3787-6PRV-H9W3 Undici proxy-authorization header not cleared on cross-origin redirect in fetch

Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers. Patches This is patched in v5.28.3 and v6.6.1 Workarounds There are no known workarounds. References - https://fetch.spec.whatwg.org/authentication-entries -...

undici Information Disclosure Vulnerability

undici is an HTTP/1.1 client. An information disclosure vulnerability exists in undici v5.28.2 and earlier, and versions 6.0.0 through 6.6.0, which stems from an information disclosure vulnerability due to failure to clear the Proxy-Authorization header...

CentOS 8 : python-requests (CESA-2023:4520)

The remote CentOS Linux 8 host has a package installed that is affected by a vulnerability as referenced in the CESA-2023:4520 advisory. - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS...

EulerOS Virtualization 2.11.1 : python-requests (EulerOS-SA-2023-2741)

According to the versions of the python-requests package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination...

EulerOS 2.0 SP8 : python-requests (EulerOS-SA-2023-3152)

According to the versions of the python-requests packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when...

EulerOS Virtualization 2.10.1 : python-requests (EulerOS-SA-2023-2927)

According to the versions of the python-requests package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination...