Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-31150

Опубликовано: 19 июл. 2022
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.

A flaw was found in the undici package. When requesting an input on an unsanitized request path, method, or headers it is possible to inject Carriage Return/Line Feed (CRLF) sequences into these requests.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/search-ui-rhel8Affected
Red Hat OpenShift Dev Spacesdevspaces/dashboard-rhel8Affected
Red Hat Advanced Cluster Management for Kubernetes 2acm-grafana-containerFixedRHSA-2022:669626.09.2022
Red Hat Advanced Cluster Management for Kubernetes 2acm-must-gather-containerFixedRHSA-2022:669626.09.2022
Red Hat Advanced Cluster Management for Kubernetes 2acm-operator-bundle-containerFixedRHSA-2022:669626.09.2022
Red Hat Advanced Cluster Management for Kubernetes 2application-ui-containerFixedRHSA-2022:669626.09.2022
Red Hat Advanced Cluster Management for Kubernetes 2assisted-image-service-containerFixedRHSA-2022:669626.09.2022
Red Hat Advanced Cluster Management for Kubernetes 2cert-policy-controller-containerFixedRHSA-2022:669626.09.2022
Red Hat Advanced Cluster Management for Kubernetes 2cluster-backup-operator-containerFixedRHSA-2022:669626.09.2022
Red Hat Advanced Cluster Management for Kubernetes 2clusterclaims-controller-containerFixedRHSA-2022:669626.09.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-93
https://bugzilla.redhat.com/show_bug.cgi?id=2109354nodejs16: CRLF injection in node-undici

EPSS

Процентиль: 67%
0.00542
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-31150

CVSS3: 5.3
ubuntu
больше 3 лет назад

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

nvd логотип

CVE-2022-31150

CVSS3: 5.3
nvd
больше 3 лет назад

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

debian логотип

CVE-2022-31150

CVSS3: 5.3
debian
больше 3 лет назад

undici is an HTTP/1.1 client, written from scratch for Node.js. It is ...

github логотип

GHSA-3cvr-822r-rqcc

CVSS3: 5.3
github
больше 3 лет назад

undici before v5.8.0 vulnerable to CRLF injection in request headers

suse-cvrf логотип

SUSE-SU-2022:3251-1

suse-cvrf
больше 3 лет назад

Security update for nodejs16

EPSS

Процентиль: 67%
0.00542
Низкий

6.5 Medium

CVSS3