Описание
undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1. If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in undici@5.8.1. The best workaround is to validate user input before passing it to the undici.request call.
A Server-Side Request Forgery (SSRF) vulnerability was found in undici, a HTTP/1.1 client for Node.js. An attacker can manipulate the server-side application to make requests to an unintended location when they use the 'path/pathname' option in 'undici.request'.
Меры по смягчению последствий
Validate user input before passing it to the undici.request call.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-ui-rhel8 | Affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/dashboard-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-grafana-container | Fixed | RHSA-2022:7276 | 01.11.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-must-gather-container | Fixed | RHSA-2022:7276 | 01.11.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-operator-bundle-container | Fixed | RHSA-2022:7276 | 01.11.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | application-ui-container | Fixed | RHSA-2022:7276 | 01.11.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | assisted-image-service-container | Fixed | RHSA-2022:7276 | 01.11.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cert-policy-controller-container | Fixed | RHSA-2022:7276 | 01.11.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cluster-backup-operator-container | Fixed | RHSA-2022:7276 | 01.11.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | clusterclaims-controller-container | Fixed | RHSA-2022:7276 | 01.11.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before...
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before pa
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici ...
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
EPSS
5.3 Medium
CVSS3