CVE-2022-32210

Опубликовано: 14 июл. 2022

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

Ссылки

https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33
Exploit
Third Party Advisory
https://hackerone.com/reports/1583680
Exploit
Issue Tracking
Third Party Advisory
https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33
Exploit
Third Party Advisory
https://hackerone.com/reports/1583680
Exploit
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*

Версия от 4.8.2 (включая) до 5.5.1 (исключая)

EPSS

Процентиль: 32%

0.00127

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-295

Связанные уязвимости

CVE-2022-32210

CVSS3: 6.5

ubuntu

больше 3 лет назад

`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

CVE-2022-32210

CVSS3: 6.5

debian

больше 3 лет назад

`Undici.ProxyAgent` never verifies the remote server's certificate, an ...

GHSA-pgw7-wx7w-2w33

CVSS3: 7.7

github

больше 3 лет назад

ProxyAgent vulnerable to MITM

EPSS

Процентиль: 32%

0.00127

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-295