CVE-2022-35949

{"id": "CVE-2022-35949", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-08-12T23:15:07.970", "references": [{"url": "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call."}, {"lang": "es", "value": "undici es un cliente HTTP/1.1, escrito desde cero para Node.js.\"undici\" es vulnerable a un ataque de tipo SSRF (Server-side Request Forgery) cuando una aplicaci\u00f3n toma la **user input** en la opci\u00f3n \"path/pathname\" de \"undici.request\". Si un usuario especifica una URL como \"http://127.0.0.1\" o \"//127.0.0.1\" \"\"js const undici = require(\"undici\") undici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"}) \"\"\" En lugar de procesar la petici\u00f3n como \"http://example.org//127.0.0.1\" (o \"http://example.org/http://127.0.0.1\" cuando es usada \"http://127.0.0.1\"), en realidad procesa la petici\u00f3n como \"http://127.0.0.1/\" y la env\u00eda a \"http://127.0.0.1\". Si un desarrollador pasa la entrada del usuario en el par\u00e1metro \"path\" de \"undici.request\", puede resultar en un _SSRF_ ya que asumir\u00e1 que el nombre del host no puede cambiar, cuando en realidad puede cambiar porque el par\u00e1metro path especificado es combinado con la URL base. Este problema ha sido corregido en \"undici@5.8.1\". La mejor mitigaci\u00f3n es comprender la entrada del usuario antes de pasarla a la llamada \"undici.request\"."}], "lastModified": "2024-11-21T07:12:01.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CB5541CA-AC2D-4CFD-82A9-CF1FFEEFBB08", "versionEndIncluding": "5.8.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}