Описание
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
A vulnerability was found in the Axios HTTP Client. It is vulnerable to a server-side request forgery attack (SSRF) caused by unexpected behavior where requests for path-relative URLs get processed as protocol-relative URLs. This flaw allows an attacker to perform arbitrary requests from the server, potentially accessing internal systems or exfiltrating sensitive data.
Отчет
This vulnerability is rated as IMPORTANT because it can be exploited remotely with low complexity and without user interaction, it poses a significant risk to confidentiality.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 3 | axios | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Migration Toolkit for Applications 7 | mta/mta-cli-rhel9 | Not affected | ||
| Migration Toolkit for Applications 7 | mta/mta-ui-rhel9 | Not affected | ||
| Migration Toolkit for Runtimes | axios | Affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-console-plugin-rhel9 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-api-rhel8 | Will not fix | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-db-migration-rhel8 | Will not fix | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-ui-rhel8 | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
axios 1.7.2 allows SSRF via unexpected behavior where requests for pat ...
EPSS
7.5 High
CVSS3