Ubuntu.comUB:CVE-2024-38372

HistoryJul 08, 2024 - 12:00 a.m.

CVE-2024-38372

2024-07-0800:00:00

ubuntu.com

undici http fetch node.js vulnerability

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

AI Score

Confidence

Low

JSON

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending
on network and process conditions of a fetch() request,
response.arrayBuffer() might include portion of memory from the Node.js
process. This has been patched in v6.19.2.

OSVersionArchitecturePackageVersionFilename
ubuntu24.04noarchnode-undici< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	24.04	noarch	node-undici	< any	UNKNOWN

References

github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36

github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36 (v6.14.0)

github.com/nodejs/undici/issues/3328

github.com/nodejs/undici/issues/3337

github.com/nodejs/undici/pull/3338

github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq

launchpad.net/bugs/cve/CVE-2024-38372

nvd.nist.gov/vuln/detail/CVE-2024-38372

security-tracker.debian.org/tracker/CVE-2024-38372

www.cve.org/CVERecord?id=CVE-2024-38372

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

AI Score

Confidence

Low

JSON

Related for UB:CVE-2024-38372