Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-28168

Опубликовано: 29 окт. 2020
Источник: redhat
CVSS3: 5.9

Описание

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

A flaw was found in nodejs-axios. The Axios NPM package contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Отчет

Whilst in OpenShift Container Platform (OCP) the openshift4/ose-console container does include the vulnerable axios library, it does not use the vulnerable proxy functionality. Additionally, the console is behind OpenShift OAuth restricting access to authenticated users only and as such has been marked as Low impact. The OpenShift Service Mesh (OSSM) kiali component also includes the vulnerable axios library. Similar to OCP, kiali does not make use of the proxy function and is behind OpenShift OAuth reducing the impact Low.

Меры по смягчению последствий

A mitigation exists where by catching the error code returned by axios.request, it can be identified that there is a redirect. By updating the old request config with the new redirect path, the request can then be repeated with the traffic routed through the proxy. As identified by Marika in this GitHub comment: https://github.com/axios/axios/issues/3369#issuecomment-721748989.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 1kialiFix deferred
OpenShift Service Mesh 2.0kialiAffected
Red Hat Advanced Cluster Management for Kubernetes 2axiosNot affected
Red Hat OpenShift Container Platform 4openshift4/ose-consoleFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-918
https://bugzilla.redhat.com/show_bug.cgi?id=1896130nodejs-axios: allows an attacker to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address

5.9 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-28168

CVSS3: 5.9
ubuntu
больше 5 лет назад

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

nvd логотип

CVE-2020-28168

CVSS3: 5.9
nvd
больше 5 лет назад

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

debian логотип

CVE-2020-28168

CVSS3: 5.9
debian
больше 5 лет назад

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) ...

github логотип

GHSA-4w2v-q235-vp99

CVSS3: 5.9
github
около 5 лет назад

Axios vulnerable to Server-Side Request Forgery

fstec логотип

BDU:2021-02882

CVSS3: 5.9
fstec
больше 4 лет назад

Уязвимость библиотеки axios прикладного программного обеспечения Аврора Центр, позволяющая нарушителю осуществить SSRF-атаку

5.9 Medium

CVSS3