CVE-2024-28849

Опубликовано: 14 мар. 2024

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Ссылки

https://fetch.spec.whatwg.org/#authentication-entries
Technical Description
https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
Patch
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
Exploit
Vendor Advisory
https://github.com/psf/requests/issues/1885
Issue Tracking
https://hackerone.com/reports/2390009
Issue Tracking
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/
Mailing List
Third Party Advisory
https://fetch.spec.whatwg.org/#authentication-entries
Technical Description
https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
Patch
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
Exploit
Vendor Advisory
https://github.com/psf/requests/issues/1885
Issue Tracking
https://hackerone.com/reports/2390009
Issue Tracking
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/
Mailing List
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:*

Версия до 1.15.6 (исключая)

EPSS

Процентиль: 71%

0.00677

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-200

Связанные уязвимости

CVE-2024-28849

CVSS3: 6.5

ubuntu

почти 2 года назад

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2024-28849

CVSS3: 6.5

redhat

почти 2 года назад

CVE-2024-28849

CVSS3: 6.5

msrc

почти 2 года назад

Proxy-Authorization header kept across hosts in follow-redirects

CVE-2024-28849

CVSS3: 6.5

debian

почти 2 года назад

follow-redirects is an open source, drop-in replacement for Node's `ht ...

GHSA-cxjh-pqwp-8mfp

CVSS3: 6.5

github

почти 2 года назад

follow-redirects' Proxy-Authorization header kept across hosts

EPSS

Процентиль: 71%

0.00677

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-200