CVE-2024-28849 – Proxy-Authorization header kept across hosts in follow-redirects
https://notcve.org/view.php?id=CVE-2024-28849
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. follow-redirects es un reemplazo directo de código abierto para los módulos `http` y `https` de Node que sigue automáticamente las redirecciones. • https://fetch.spec.whatwg.org/#authentication-entries https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp https://github.com/psf/requests/issues/1885 https://hackerone.com/reports/2390009 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z https://access.redhat.com/security/cve/CVE-2024-28849 https://bugzilla.red • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-0536 – Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects
https://notcve.org/view.php?id=CVE-2022-0536
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8. Una Exposición de Información Confidencial a un Actor no Autorizado en NPM follow-redirects versiones anteriores a 1.14.8 A flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack. • https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445 https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db https://access.redhat.com/security/cve/CVE-2022-0536 https://bugzilla.redhat.com/show_bug.cgi?id=2053259 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVE-2022-0155 – Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects/follow-redirects
https://notcve.org/view.php?id=CVE-2022-0155
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor follow-redirects es vulnerable a una Exposición de Información Personal Privada a un Actor no Autorizado A flaw was found in follow-redirects when fetching a remote URL with a cookie when it gets to the Location response header. This flaw allows an attacker to hijack the account as the cookie is leaked. • https://github.com/coana-tech/CVE-2022-0155-PoC https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22 https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406 https://access.redhat.com/security/cve/CVE-2022-0155 https://bugzilla.redhat.com/show_bug.cgi?id=2044556 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •