CVE-2024-30260

2024-04-0416:15:08

Debian Security Bug Tracker

security-tracker.debian.org

undici http/1.1 client

node.js

vulnerability

patched version

authorization headers

proxy-authorization headers

security patch

CVSS3

3.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

AI Score

7.1

Confidence

Low

EPSS

Percentile

10.3%

JSON

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

OSVersionArchitecturePackageVersionFilename
Debian12allnode-undici<= 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4_all.deb
Debian999allnode-undici< 5.28.4+dfsg1+~cs23.12.11-1node-undici_5.28.4+dfsg1+~cs23.12.11-1_all.deb
Debian13allnode-undici< 5.28.4+dfsg1+~cs23.12.11-1node-undici_5.28.4+dfsg1+~cs23.12.11-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	node-undici	<= 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4	node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4_all.deb
Debian	999	all	node-undici	< 5.28.4+dfsg1+~cs23.12.11-1	node-undici_5.28.4+dfsg1+~cs23.12.11-1_all.deb
Debian	13	all	node-undici	< 5.28.4+dfsg1+~cs23.12.11-1	node-undici_5.28.4+dfsg1+~cs23.12.11-1_all.deb