CVE-2024-28849

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fetch.spec.whatwg.org/#authentication-entries
https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
https://github.com/psf/requests/issues/1885
https://hackerone.com/reports/2390009
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/
https://fetch.spec.whatwg.org/#authentication-entries
https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
https://github.com/psf/requests/issues/1885
https://hackerone.com/reports/2390009
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/

Configurations

No configuration.

History

21 Nov 2024, 09:07

Type	Values Removed	Values Added
References	~~() https://fetch.spec.whatwg.org/#authentication-entries -~~	() https://fetch.spec.whatwg.org/#authentication-entries -
References	~~() https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b -~~	() https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b -
References	~~() https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp -~~	() https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp -
References	~~() https://github.com/psf/requests/issues/1885 -~~	() https://github.com/psf/requests/issues/1885 -
References	~~() https://hackerone.com/reports/2390009 -~~	() https://hackerone.com/reports/2390009 -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/ -

23 Mar 2024, 03:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/ -
Summary		(es) follow-redirects es un reemplazo directo de código abierto para los módulos `http` y `https` de Node que sigue automáticamente las redirecciones. En las versiones afectadas, follow-redirects solo borra el encabezado de autorización durante el redireccionamiento entre dominios, pero mantiene el encabezado de autenticación de proxy que también contiene las credenciales. Esta vulnerabilidad puede provocar una fuga de credenciales, pero se solucionó en la versión 1.15.6. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

14 Mar 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-14 17:15

Updated : 2024-11-21 09:07

NVD link : CVE-2024-28849

Mitre link : CVE-2024-28849

CVE.ORG link : CVE-2024-28849

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

6.5 /10