6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.3%
follow-redirects is vulnerable to Credential Leakage. The vulnerability is due to insufficient redaction of the proxy-authentication header when handing requests. If an attacker can trigger a cross domain redirect, they can capture the request header containing the sensitive proxy-auth header, resulting in the leakage of credentials.
CPE | Name | Operator | Version |
---|---|---|---|
follow-redirects | le | 1.15.5 | |
follow-redirects | le | 1.15.5 | |
node-follow-redirects:sid | eq | 1.13.0-1 |
fetch.spec.whatwg.org/#authentication-entries
github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
github.com/psf/requests/issues/1885
hackerone.com/reports/2390009
lists.fedoraproject.org/archives/list/[email protected]/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.3%