Описание
Exposure of Sensitive Information in simple-get
In versions of simple-get prior to 4.0.1, 3.1.1, and 2.8.2, when fetching a remote url with a cookie location response, headers will be followed, potentially resulting in an exposure of the session cookie to a third party.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-0355
- https://github.com/feross/simple-get/pull/75#issuecomment-1027755026
- https://github.com/feross/simple-get/pull/76#issuecomment-1027754710
- https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f
- https://github.com/feross/simple-get
- https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31
Пакеты
Наименование
simple-get
npm
Затронутые версииВерсия исправления
= 4.0.0
4.0.1
Наименование
simple-get
npm
Затронутые версииВерсия исправления
>= 3.0.0, < 3.1.1
3.1.1
Наименование
simple-get
npm
Затронутые версииВерсия исправления
< 2.8.2
2.8.2
Связанные уязвимости
CVSS3: 7.5
redhat
около 4 лет назад
Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
CVSS3: 8.8
nvd
около 4 лет назад
Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.