CVE-2022-0235
HIGH8.8EPSS 0.29%node-fetch forwards secure headers to untrusted sites
Published: 1/21/2022Modified: 11/8/2023
Also known as:GHSA-r683-j2x4-v87g
Description
node-fetch forwards secure headers such as `authorization`, `www-authenticate`, `cookie`, & `cookie2` when redirecting to a untrusted site.
Affected packages (3)
- Debian/node-fetchfrom 0, < 2.6.1-5+deb11u1
- Debian/node-fetchfrom 0, < 1.7.3-1+deb10u1
- npm/node-fetch>= 3.0.0, < 3.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-0235
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-0235
- PATCHhttps://github.com/node-fetch/node-fetch
- WEBhttps://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- WEBhttps://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35
- WEBhttps://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10
- WEBhttps://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60
- WEBhttps://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60
- WEBhttps://github.com/node-fetch/node-fetch/pull/1453
- WEBhttps://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7
- WEBhttps://lists.debian.org/debian-lts-announce/2022/12/msg00007.html