GHSA-m4v8-wqvr-p9f7

Опубликовано: 04 апр. 2024

Источник: github

Github: Прошло ревью

CVSS3: 3.9

Описание

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

Ссылки

Пакеты

Наименование

undici

npm

Затронутые версииВерсия исправления

< 5.28.4

5.28.4

Наименование

undici

npm

Затронутые версииВерсия исправления

>= 6.0.0, < 6.11.1

6.11.1

EPSS

Процентиль: 41%

0.00188

Низкий

3.9 Low

CVSS3

CVE ID

CVE-2024-30260

Дефекты

CWE-200

CWE-285

CWE-863

Связанные уязвимости

CVE-2024-30260

CVSS3: 3.9

ubuntu

почти 2 года назад

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CVE-2024-30260

CVSS3: 3.9

redhat

почти 2 года назад

CVE-2024-30260

CVSS3: 3.9

nvd

почти 2 года назад

CVE-2024-30260

CVSS3: 4.3

msrc

около 1 года назад

Описание отсутствует

CVE-2024-30260

CVSS3: 3.9

debian

почти 2 года назад

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ...

EPSS

Процентиль: 41%

0.00188

Низкий

3.9 Low

CVSS3

CVE ID

CVE-2024-30260

Дефекты

CWE-200

CWE-285

CWE-863