GHSA-pc5p-h8pf-mvwp

Опубликовано: 16 апр. 2020

Источник: github

Github: Прошло ревью

CVSS3: 6.1

Описание

Machine-In-The-Middle in https-proxy-agent

Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.

Recommendation

Upgrade to version 3.0.0 or 2.2.3.

Ссылки

https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b
https://hackerone.com/reports/541502
https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131
https://www.npmjs.com/advisories/1184

Пакеты

Наименование

https-proxy-agent

npm

Затронутые версииВерсия исправления

< 2.2.3

2.2.3

6.1 Medium

CVSS3

Дефекты

CWE-300

6.1 Medium

CVSS3

Дефекты

CWE-300