Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2024-02610

Опубликовано: 14 мар. 2024
Источник: fstec
CVSS3: 6.5
CVSS2: 6.8
EPSS Низкий

Описание

Уязвимость модуля Node.js follow-redirects связана с недостаточной защитой служебных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить несанкционированный доступ к защищаемой информации

Вендор

Novell Inc.
Сообщество свободного программного обеспечения
Red Hat Inc.
Fedora Project

Наименование ПО

SUSE Linux Enterprise Server for SAP Applications
Suse Linux Enterprise Server
Debian GNU/Linux
Red Hat Advanced Cluster Management for Kubernetes
Red Hat Discovery
Fedora
follow-redirects
multicluster engine for Kubernetes
Red Hat OpenShift Logging (RHOL)

Версия ПО

12 SP3 (SUSE Linux Enterprise Server for SAP Applications)
12 SP4 (SUSE Linux Enterprise Server for SAP Applications)
12 SP3 (Suse Linux Enterprise Server)
12 SP4 (Suse Linux Enterprise Server)
15 (SUSE Linux Enterprise Server for SAP Applications)
15 SP1 (SUSE Linux Enterprise Server for SAP Applications)
12 SP5 (Suse Linux Enterprise Server)
12 SP5 (SUSE Linux Enterprise Server for SAP Applications)
10 (Debian GNU/Linux)
15-LTSS (Suse Linux Enterprise Server)
12 (SUSE Linux Enterprise Server for SAP Applications)
15 SP1-BCL (Suse Linux Enterprise Server)
15 SP1-LTSS (Suse Linux Enterprise Server)
15 SP1 (Suse Linux Enterprise Server)
11 (Debian GNU/Linux)
12 (Debian GNU/Linux)
12 (Suse Linux Enterprise Server)
15 SP3 (Suse Linux Enterprise Server)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
15 SP2 (Suse Linux Enterprise Server)
15 SP2 (SUSE Linux Enterprise Server for SAP Applications)
2 (Red Hat Advanced Cluster Management for Kubernetes)
15 SP4 (Suse Linux Enterprise Server)
15 (Suse Linux Enterprise Server)
15 SP2-BCL (Suse Linux Enterprise Server)
15 SP2-LTSS (Suse Linux Enterprise Server)
15 SP3-LTSS (Suse Linux Enterprise Server)
15 SP3-BCL (Suse Linux Enterprise Server)
- (Red Hat Discovery)
40 (Fedora)
15 SP4-LTSS (Suse Linux Enterprise Server)
до 1.15.6 (follow-redirects)
- (multicluster engine for Kubernetes)
5.8 (Red Hat OpenShift Logging (RHOL))

Тип ПО

Операционная система
Сетевое средство
Прикладное ПО информационных систем

Операционные системы и аппаратные платформы

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4
Novell Inc. Suse Linux Enterprise Server 12 SP3
Novell Inc. Suse Linux Enterprise Server 12 SP4
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1
Novell Inc. Suse Linux Enterprise Server 12 SP5
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5
Сообщество свободного программного обеспечения Debian GNU/Linux 10
Novell Inc. Suse Linux Enterprise Server 15-LTSS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12
Novell Inc. Suse Linux Enterprise Server 15 SP1-BCL
Novell Inc. Suse Linux Enterprise Server 15 SP1-LTSS
Novell Inc. Suse Linux Enterprise Server 15 SP1
Сообщество свободного программного обеспечения Debian GNU/Linux 11
Сообщество свободного программного обеспечения Debian GNU/Linux 12
Novell Inc. Suse Linux Enterprise Server 12
Novell Inc. Suse Linux Enterprise Server 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3
Novell Inc. Suse Linux Enterprise Server 15 SP2
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2
Novell Inc. Suse Linux Enterprise Server 15 SP4
Novell Inc. Suse Linux Enterprise Server 15
Novell Inc. Suse Linux Enterprise Server 15 SP2-BCL
Red Hat Inc. Red Hat Enterprise Linux 9
Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS
Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS
Novell Inc. Suse Linux Enterprise Server 15 SP3-BCL
Fedora Project Fedora 40
Novell Inc. Suse Linux Enterprise Server 15 SP4-LTSS

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 6,8)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 6,5)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для follow-redirects:
обновление модуля до версии 1.15.6 и выше
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2024-28849.html
Для программных продуктов Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2024-28849
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2024-28849

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Существует в открытом доступе

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 71%
0.00677
Низкий

6.5 Medium

CVSS3

6.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2024-28849

CVSS3: 6.5
ubuntu
почти 2 года назад

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

redhat логотип

CVE-2024-28849

CVSS3: 6.5
redhat
почти 2 года назад

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

nvd логотип

CVE-2024-28849

CVSS3: 6.5
nvd
почти 2 года назад

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

msrc логотип

CVE-2024-28849

CVSS3: 6.5
msrc
почти 2 года назад

Proxy-Authorization header kept across hosts in follow-redirects

debian логотип

CVE-2024-28849

CVSS3: 6.5
debian
почти 2 года назад

follow-redirects is an open source, drop-in replacement for Node's `ht ...

EPSS

Процентиль: 71%
0.00677
Низкий

6.5 Medium

CVSS3

6.8 Medium

CVSS2