Lucene search

K

GitHub_MVULNRICHMENT:CVE-2024-30260

HistoryApr 04, 2024 - 3:15 p.m.

CVE-2024-30260 Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

2024-04-0415:15:44

CWE-285

GitHub_M

github.com

1

undici

http/1.1

node.js

vulnerability

patch

CVSS3

3.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

AI Score

6.7

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

partial

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

References

github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f

github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75

github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7

lists.fedoraproject.org/archives/list/[email protected]/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/

lists.fedoraproject.org/archives/list/[email protected]/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/

lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/

CVSS3

3.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

AI Score

6.7

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

partial

Related for VULNRICHMENT:CVE-2024-30260

cbl_mariner2 hackerone2 debiancve1 ibm6 nvd1 cvelist1 osv2 nessus9 cve1 ubuntucve1 veracode1 github1 redhatcve1 openvas6 fedora3 redhat1