Описание
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a slightly altered content type such as with different casing or altered whitespacing before ;. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema.
A flaw was found in Fastify. In affected versions, applications that specify different validation strategies for various content types can bypass validation by using a slightly altered content type, such as with different casing or altered whitespace before ;.
Отчет
None of the Red Hat Products and Services are impacted by this vulnerability.
Меры по смягчению последствий
To mitigate this vulnerability, do not specify multiple content types in the schema.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Serverless | openshift-serverless-1/kn-plugin-func-func-util-rhel8 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | odh-dashboard-container | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | odh-operator-container | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-dashboard-rhel8 | Not affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/dashboard-rhel8 | Not affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/dashboard-rhel9 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema.
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
EPSS
7.5 High
CVSS3