Lucene search

K

[email protected]NVD:CVE-2024-30261

HistoryApr 04, 2024 - 3:15 p.m.

CVE-2024-30261

2024-04-0415:15:39

CWE-284

[email protected]

web.nvd.nist.gov

2

undici

http/1.1

node.js

integrity option

fetch()

tampered

vulnerability

patch

version 5.28.4

version 6.11.1

CVSS3

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

AI Score

4.2

Confidence

High

EPSS

0

Percentile

10.3%

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

References

github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055

github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3

github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672

hackerone.com/reports/2377760

lists.fedoraproject.org/archives/list/[email protected]/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/

lists.fedoraproject.org/archives/list/[email protected]/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/

lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/

CVSS3

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

AI Score

4.2

Confidence

High

EPSS

0

Percentile

10.3%

Related for NVD:CVE-2024-30261

cbl_mariner2 osv2 nessus10 redhatcve1 vulnrichment1 ibm6 debiancve1 cve1 ubuntucve1 veracode1 cvelist1 hackerone1 github1 fedora3 openvas6 redhat1