Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-Q768-X9M6-M9QP
HistoryJul 21, 2022 - 8:31 p.m.

undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect

2022-07-2120:31:05
Google
osv.dev
5

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5.7 Medium

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

82.4%

JSON

Impact

Authorization headers are already cleared on cross-origin redirect in
https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.

However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in v5.8.0.

Workarounds

By default, this vulnerability is not exploitable.
Do not enable redirections, i.e. maxRedirections: 0 (the default).

References

https://hackerone.com/reports/1635514
https://curl.se/docs/CVE-2018-1000007.html
https://curl.se/docs/CVE-2022-27776.html

For more information

If you have any questions or comments about this advisory:

CPENameOperatorVersion
undicilt5.8.0

Related

github 7
osv 16
veracode 4
debiancve 7
prion 7
nvd 7
ubuntucve 7
cve 7
cvelist 7
redhatcve 4
nessus 42
openvas 24
hackerone 5
ibm 10
ubuntu 2
freebsd 3
debian 2
symantec 1
cbl_mariner 2
alpinelinux 3
mscve 1
rubygems 2
archlinux 6
fedora 6
slackware 2
cloudfoundry 1
amazon 3
altlinux 1
friendsofphp 2
suse 1
oraclelinux 2
redhat 2
almalinux 2
mageia 1
github
github
undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
2022-07-21 20:31:05
Undici's cookie header not cleared on cross-origin redirect in fetch
2023-10-16 14:05:37
Unsafe HTTP Redirect in Puppet Agent and Puppet Server
2021-12-02 17:52:45
osv
osv
CVE-2023-45143
2023-10-12 17:15:10
Undici's cookie header not cleared on cross-origin redirect in fetch
2023-10-16 14:05:37
CVE-2018-1000007
2018-01-24 22:29:00
veracode
veracode
Open Redirect
2022-07-22 08:40:00
Information Disclosure
2019-01-15 09:25:18
Cross-Origin Cookie Leakage
2023-10-13 04:59:40
debiancve
debiancve
CVE-2022-31151
2022-07-21 04:15:12
CVE-2018-1000007
2018-01-24 22:29:00
CVE-2023-45143
2023-10-12 17:15:10
prion
prion
Authorization
2022-07-21 04:15:00
Authentication flaw
2018-01-24 22:29:00
Authorization
2023-10-12 17:15:00
nvd
nvd
CVE-2022-31151
2022-07-21 04:15:12
CVE-2018-1000007
2018-01-24 22:29:00
CVE-2023-45143
2023-10-12 17:15:10
ubuntucve
ubuntucve
CVE-2022-31151
2022-07-21 00:00:00
CVE-2018-1000007
2018-01-24 00:00:00
CVE-2023-45143
2023-10-12 00:00:00
cve
cve
CVE-2022-31151
2022-07-21 04:15:12
CVE-2018-1000007
2018-01-24 22:29:00
CVE-2023-45143
2023-10-12 17:15:10
cvelist
cvelist
CVE-2022-31151 Uncleared cookies on cross-host/cross-origin redirect in undici
2022-07-20 23:00:15
CVE-2018-1000007
2018-01-24 22:00:00
CVE-2023-45143 Undici's cookie header not cleared on cross-origin redirect in fetch
2023-10-12 16:35:40
redhatcve
redhatcve
CVE-2022-31151
2022-08-25 11:40:39
CVE-2018-1000007
2018-01-24 08:19:31
CVE-2023-45143
2023-10-13 22:52:18
nessus
nessus
SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2018:0217-1)
2018-01-25 00:00:00
FreeBSD : cURL -- Multiple vulnerabilities (0cbf0fa6-dcb7-469c-b87a-f94cffd94583)
2018-01-29 00:00:00
Debian DLA-1263-1 : curl security update
2018-01-30 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-1263-1)
2018-01-30 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:0217-1)
2021-04-19 00:00:00
Ubuntu: Security Advisory (USN-3554-2)
2022-08-26 00:00:00
hackerone
hackerone
curl: Proxy-Authorization header carried to a new host on a redirect
2021-01-25 02:37:39
Internet Bug Bounty: Cookie headers are not cleared in cross-domain redirect in undici-fetch
2023-11-07 15:47:49
curl: Credential leak on redirect
2022-05-13 11:31:21
ibm
ibm
Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerability in cURL (CVE-2018-1000007)
2023-12-07 22:31:02
Security Bulletin: IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to the electron module (CVE-2023-45143)
2024-01-17 16:30:49
Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to loss of confidentiality due to CVE-2022-27776
2022-11-04 18:06:17
ubuntu
ubuntu
curl vulnerability
2018-02-01 00:00:00
curl vulnerabilities
2018-01-31 00:00:00
freebsd
freebsd
cURL -- Multiple vulnerabilities
2018-01-24 00:00:00
puppet -- Unsafe HTTP Redirect
2021-11-09 00:00:00
mediawiki -- multiple vulnerabilities
2022-05-16 00:00:00
debian
debian
[SECURITY] [DLA 1263-1] curl security update
2018-01-29 21:39:06
[SECURITY] [DSA 4098-1] curl security update
2018-01-26 09:59:00
symantec
symantec
cURL/libcURL CVE-2018-1000007 Information Disclosure Vulnerability
2018-01-24 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-45143 affecting package nodejs18 for versions less than 18.18.2-2
2023-11-08 02:07:28
CVE-2022-27776 affecting package curl 7.76.0-9
2022-05-12 02:16:39
alpinelinux
alpinelinux
CVE-2023-45143
2023-10-12 17:15:10
CVE-2022-27776
2022-06-02 14:15:43
CVE-2021-31879
2021-04-29 05:15:00
mscve
mscve
HackerOne: CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data
2022-07-12 07:00:00
rubygems
rubygems
Unsafe HTTP Redirect in Puppet Agent and Puppet Server
2021-12-01 21:00:00
Authorization header leak on port redirect in mechanize
2022-06-08 21:00:00
archlinux
archlinux
[ASA-201801-23] libcurl-compat: multiple issues
2018-01-29 00:00:00
[ASA-201801-22] lib32-curl: multiple issues
2018-01-29 00:00:00
[ASA-201801-26] lib32-libcurl-compat: multiple issues
2018-01-29 00:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: curl-7.53.1-14.fc26
2018-01-30 17:34:43
[SECURITY] Fedora 27 Update: curl-7.55.1-9.fc27
2018-01-30 18:12:27
[SECURITY] Fedora 37 Update: mediawiki-1.38.2-1.fc37
2022-09-12 17:57:50
slackware
slackware
[slackware-security] curl
2018-01-25 02:28:38
[slackware-security] curl
2022-04-27 21:48:34
cloudfoundry
cloudfoundry
USN-3554-1: curl vulnerabilities | Cloud Foundry
2018-03-01 00:00:00
amazon
amazon
Important: curl
2018-02-20 20:57:00
Important: curl
2018-02-07 18:08:00
Medium: curl
2022-05-04 01:01:00
altlinux
altlinux
Security fix for the ALT Linux 8 package curl version 7.58.0-alt1
2018-01-24 00:00:00
friendsofphp
friendsofphp
CURLOPT_HTTPAUTH option not cleared on change of origin
2022-06-20 22:24:00
Change in port should be considered a change in origin
2022-06-20 22:24:00
suse
suse
Security update for curl (moderate)
2022-05-13 00:00:00
oraclelinux
oraclelinux
18 security update
2023-10-20 00:00:00
nodejs:18 security update
2023-10-23 00:00:00
redhat
redhat
(RHSA-2023:5869) Important: nodejs:18 security update
2023-10-18 22:01:20
(RHSA-2023:5849) Important: nodejs:18 security update
2023-10-18 15:11:16
almalinux
almalinux
Important: nodejs:18 security update
2023-10-18 00:00:00
Important: nodejs:18 security update
2023-10-18 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2023-10-23 00:04:51

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5.7 Medium

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

82.4%

JSON
Related for OSV:GHSA-Q768-X9M6-M9QP
github7osv16veracode4debiancve7prion7nvd7ubuntucve7cve7cvelist7redhatcve4nessus42openvas24hackerone5ibm10ubuntu2freebsd3debian2symantec1cbl_mariner2alpinelinux3mscve1rubygems2archlinux6fedora6slackware2cloudfoundry1amazon3altlinux1friendsofphp2suse1oraclelinux2redhat2almalinux2mageia1