Описание
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
A flaw was found in Faraday, an HTTP client library. The build_exclusive_url method, which combines a base URL with a user-supplied path, incorrectly processes protocol-relative URLs (e.g., //evil.com/path). This allows a remote attacker to supply a specially crafted URL, leading to Server-Side Request Forgery (SSRF). An attacker can exploit this to redirect requests to an arbitrary host, potentially accessing internal resources or bypassing security controls.
Отчет
MODERATE: The Faraday HTTP client library, used in Red Hat 3scale API Management Platform and OpenShift Container Platform components, is vulnerable to Server-Side Request Forgery (SSRF). This flaw allows an attacker to redirect requests to arbitrary hosts if user-controlled input is passed to Faraday's request methods, due to incorrect processing of protocol-relative URLs.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/cluster-logging-operator-bundle | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/cluster-logging-rhel9-operator | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/eventrouter-rhel9 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/fluentd-rhel9 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/log-file-metric-exporter-rhel9 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-view-plugin-rhel9 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/vector-rhel9 | Fix deferred | ||
| Red Hat 3scale API Management Platform 2 | 3scale-amp20/system | Fix deferred | ||
| Red Hat 3scale API Management Platform 2 | 3scale-amp21/system | Fix deferred | ||
| Red Hat 3scale API Management Platform 2 | 3scale-amp21/zync | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.8 Medium
CVSS3
Связанные уязвимости
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Faraday is an HTTP client library abstraction layer that provides a co ...
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
5.8 Medium
CVSS3