CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35948 – CRLF Injection in Nodejs ‘undici’ via Content-Type
https://notcve.org/view.php?id=CVE-2022-35948
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround. undici es un cliente HTTP/1.1, escrito desde cero para Node.js." versiones anteriores a undici@5.8.0 incluyéndola" los usuarios son vulnerables a una Inyección CRLF en los encabezados cuando usan entradas no saneadas como encabezados de petición, más concretamente, dentro del encabezado "content-type". Ejemplo: """ import { request } from "undici" const unsanitizedContentTypeInput = "application/json\r\n\r\nGET /foo2 HTTP/1.1" await request("http://localhost:3000, { method: "GET", headers: { "content-type": unsanitizedContentTypeInput }, }) """ El fragmento anterior llevará a cabo dos peticiones en una sola llamada a la API "request": 1) "http://localhost:3000/" 2) "http://localhost:3000/foo2" Este problema fue parcheado en Undici versión v5.8.1. Sanear la entrada cuando son enviados encabezados de tipo de contenido usando la entrada del usuario como mitigación. • https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80 https://github.com/nodejs/undici/releases/tag/v5.8.2 https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3 https://access.redhat.com/security/cve/CVE-2022-35948 https://bugzilla.redhat.com/show_bug.cgi?id=2121101 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35949 – `undici.request` vulnerable to SSRF using absolute URL on `pathname`
https://notcve.org/view.php?id=CVE-2022-35949
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. • https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895 https://github.com/nodejs/undici/releases/tag/v5.8.2 https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 https://access.redhat.com/security/cve/CVE-2022-35949 https://bugzilla.redhat.com/show_bug.cgi?id=2121068 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31151 – Uncleared cookies on cross-host/cross-origin redirect in undici
https://notcve.org/view.php?id=CVE-2022-31151
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. • https://github.com/nodejs/undici/issues/872 https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp https://hackerone.com/reports/1635514 https://security.netapp.com/advisory/ntap-20220909-0006 https://access.redhat.com/security/cve/CVE-2022-31151 https://bugzilla.redhat.com/show_bug.cgi?id=2121396 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-346: Origin Validation Error CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-31150 – CRLF injection in request headers
https://notcve.org/view.php?id=CVE-2022-31150
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue. undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Es posible inyectar secuencias de tipo CRLF en los encabezados de las peticiones en undici en versiones anteriores a 5.7.1. • https://github.com/nodejs/undici/releases/tag/v5.8.0 https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc https://hackerone.com/reports/409943 https://security.netapp.com/advisory/ntap-20220915-0002 https://access.redhat.com/security/cve/CVE-2022-31150 https://bugzilla.redhat.com/show_bug.cgi?id=2109354 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-32210
https://notcve.org/view.php?id=CVE-2022-32210
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server. "Undici.ProxyAgent" nunca verifica el certificado del servidor remoto, y siempre expone todos los datos de petición y respuesta al proxy. Esto significa inesperadamente que los proxies pueden MitM todo el tráfico HTTPS, y si la URL del proxy es HTTP entonces también significa que las peticiones nominalmente HTTPS son realmente enviadas por medio de texto plano HTTP entre Undici y el servidor proxy • https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 https://hackerone.com/reports/1583680 • CWE-295: Improper Certificate Validation •