CVE-2022-31151 – Uncleared cookies on cross-host/cross-origin redirect in undici
https://notcve.org/view.php?id=CVE-2022-31151
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. • https://github.com/nodejs/undici/issues/872 https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp https://hackerone.com/reports/1635514 https://security.netapp.com/advisory/ntap-20220909-0006 https://access.redhat.com/security/cve/CVE-2022-31151 https://bugzilla.redhat.com/show_bug.cgi?id=2121396 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-346: Origin Validation Error CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2022-31150 – CRLF injection in request headers
https://notcve.org/view.php?id=CVE-2022-31150
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue. undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Es posible inyectar secuencias de tipo CRLF en los encabezados de las peticiones en undici en versiones anteriores a 5.7.1. • https://github.com/nodejs/undici/releases/tag/v5.8.0 https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc https://hackerone.com/reports/409943 https://security.netapp.com/advisory/ntap-20220915-0002 https://access.redhat.com/security/cve/CVE-2022-31150 https://bugzilla.redhat.com/show_bug.cgi?id=2109354 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVE-2022-32210
https://notcve.org/view.php?id=CVE-2022-32210
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server. "Undici.ProxyAgent" nunca verifica el certificado del servidor remoto, y siempre expone todos los datos de petición y respuesta al proxy. Esto significa inesperadamente que los proxies pueden MitM todo el tráfico HTTPS, y si la URL del proxy es HTTP entonces también significa que las peticiones nominalmente HTTPS son realmente enviadas por medio de texto plano HTTP entre Undici y el servidor proxy • https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 https://hackerone.com/reports/1583680 • CWE-295: Improper Certificate Validation •