CVE-2023-49799

{"id": "CVE-2023-49799", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-12-09T00:15:07.393", "references": [{"url": "https://fetch.spec.whatwg.org/", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://fetch.spec.whatwg.org/#http-whitespace-byte", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-3wfp-253j-5jxv", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://infra.spec.whatwg.org/#byte-sequence", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://fetch.spec.whatwg.org/", "tags": ["Not Applicable"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://fetch.spec.whatwg.org/#http-whitespace-byte", "tags": ["Not Applicable"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-3wfp-253j-5jxv", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://infra.spec.whatwg.org/#byte-sequence", "tags": ["Not Applicable"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "`nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example `\\nhttps://whatever.com` which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. \"To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.\". This means the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previous method of detecting absolute URLs."}, {"lang": "es", "value": "`nuxt-api-party` es un m\u00f3dulo de c\u00f3digo abierto para enviar solicitudes de API. nuxt-api-party intenta comprobar si el usuario ha pasado una URL absoluta para evitar el ataque antes mencionado. Esto se cambi\u00f3 recientemente para usar la expresi\u00f3n regular `^https?://`; sin embargo, esta expresi\u00f3n regular se puede omitir mediante una URL absoluta con espacios en blanco al principio. Por ejemplo `\\nhttps://whatever.com` que tiene una nueva l\u00ednea inicial. Seg\u00fan la especificaci\u00f3n de recuperaci\u00f3n, antes de realizar una recuperaci\u00f3n, la URL se normaliza. \"Para normalizar una secuencia de bytes de valor potencial, elimine los bytes de espacio en blanco HTTP iniciales y finales de valor potencial\". Esto significa que la solicitud final se normalizar\u00e1 en `https://whatever.com` sin pasar por la verificaci\u00f3n y nuxt-api-party enviar\u00e1 una solicitud fuera de la lista blanca. Esto podr\u00eda permitirnos filtrar credenciales o realizar Server-Side Request Forgery (SSRF). Esta vulnerabilidad se ha solucionado en la versi\u00f3n 0.22.1. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben volver al m\u00e9todo anterior para detectar URL absolutas."}], "lastModified": "2024-11-21T08:33:52.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:johannschopplich:nuxt_api_party:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3FF05127-C972-40EC-A3E2-6733D255DAA2", "versionEndIncluding": "0.21.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}