CVE-2024-30260
3.9
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Summary
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nodejs | undici | < 5.28.4 | affected |
| nodejs | undici | >= 6.0.0, < 6.11.1 | affected |
Weaknesses
- CWE-285: CWE-285: Improper Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
- https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
- https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
- https://security.netapp.com/advisory/ntap-20240905-0008/
References
- https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
- https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
- https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.