Описание
Withdrawn Advisory: Incorrect Authorization in cross-fetch
Withdrawn Advisory
This advisory has been withdrawn because the vulnerability originates from a dependency. For more information, see the Maintainer comments in https://huntr.com/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac.
Original Description
When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
Пакеты
cross-fetch
>= 3.0.0, < 3.1.5
3.1.5
cross-fetch
< 2.2.6
2.2.6
Связанные уязвимости
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
Уязвимость API-интерфейса WHATWG Fetch для Node Cross-fetch, связанная с ошибками обработки файлов cookie, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации