3.9

CVE-2023-45143

EPSS 0.1%
Veröffentlicht 12.10.2023 17:15:10
Zuletzt bearbeitet 21.11.2024 08:26:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nodejs ≫ Undici SwPlatformnode.js Version < 5.26.2

Fedoraproject ≫ Fedora Version37

Fedoraproject ≫ Fedora Version38

Fedoraproject ≫ Fedora Version39

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.273

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
security-advisories@github.com	3.9	0.5	3.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp

Not Applicable

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/

Third Party Advisory

Mailing List

https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76

Patch

https://github.com/nodejs/undici/releases/tag/v5.26.2

Release Notes

https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g

Vendor Advisory

https://hackerone.com/reports/2166948

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-45143

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-45143

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-45143

EUVD