4.3

CVE-2024-30260

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NodejsUndici SwPlatformnode.js Version < 5.28.4
NodejsUndici SwPlatformnode.js Version >= 6.0.0 < 6.11.1
FedoraprojectFedora Version38
FedoraprojectFedora Version39
FedoraprojectFedora Version40
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.73% 0.496
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 0.9 3.4
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
security-advisories@github.com 3.9 0.5 3.4
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
Product
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
Product
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
Product
https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
Patch
https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
Patch
https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
Patch
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240905-0008/