Описание
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
A flaw was found in the nodejs-undici package. Proxy-Authorization headers are not cleared on cross-origin redirects, which can allow for the exposure of sensitive data or allow an attacker to capture the persistent proxy-authentication header.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | nodejs-undici | Not affected | ||
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/dashboard-rhel8 | Fixed | RHSA-2024:6667 | 12.09.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.9 Low
CVSS3
Связанные уязвимости
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ...
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
EPSS
3.9 Low
CVSS3