Cross-Origin Cookie Leakage

2023-10-1304:59:40

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

undici

vulnerability

cross-origin

cookie leakage

failure

clear

headers

accidental

leakage

3rd-party

site

malicious

attacker

redirection

control

software

3.9 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

6.4 Medium

AI Score

Confidence

Low

JSON

Undici is vulnerable to Cross-Origin Cookie Leakage. The vulnerability is due to a failure to clear cookie headers which may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target.

CPENameOperatorVersion
undicile5.26.1
nodejs:3.18eq18.16.0-r1
nodejs:3.18eq18.17.1-r0
nodejs:3.18eq18.17.0-r0
nodejs:3.18eq18.16.1-r0
nodejs-current:edgeeq18.5.0-r0
nodejs-current:edgeeq18.2.0-r0
nodejs-current:edgeeq13.11.0-r0
nodejs-current:edgeeq19.2.0-r0
nodejs-current:edgeeq20.5.0-r1

Name	Operator	Version
undici	le	5.26.1
nodejs:3.18	eq	18.16.0-r1
nodejs:3.18	eq	18.17.1-r0
nodejs:3.18	eq	18.17.0-r0
nodejs:3.18	eq	18.16.1-r0
nodejs-current:edge	eq	18.5.0-r0
nodejs-current:edge	eq	18.2.0-r0
nodejs-current:edge	eq	13.11.0-r0
nodejs-current:edge	eq	19.2.0-r0
nodejs-current:edge	eq	20.5.0-r1