{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28849", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-11T22:45:07.685Z", "datePublished": "2024-03-14T17:07:27.338Z", "dateUpdated": "2025-02-13T17:47:32.862Z"}, "containers": {"cna": {"title": "Proxy-Authorization header kept across hosts in follow-redirects", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"}, {"name": "https://github.com/psf/requests/issues/1885", "tags": ["x_refsource_MISC"], "url": "https://github.com/psf/requests/issues/1885"}, {"name": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b", "tags": ["x_refsource_MISC"], "url": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b"}, {"name": "https://hackerone.com/reports/2390009", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/2390009"}, {"name": "https://fetch.spec.whatwg.org/#authentication-entries", "tags": ["x_refsource_MISC"], "url": "https://fetch.spec.whatwg.org/#authentication-entries"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/"}], "affected": [{"vendor": "follow-redirects", "product": "follow-redirects", "versions": [{"version": "< 1.15.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-23T03:06:02.341Z"}, "descriptions": [{"lang": "en", "value": "follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-cxjh-pqwp-8mfp", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:56:58.148Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"}, {"name": "https://github.com/psf/requests/issues/1885", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/psf/requests/issues/1885"}, {"name": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b"}, {"name": "https://hackerone.com/reports/2390009", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/2390009"}, {"name": "https://fetch.spec.whatwg.org/#authentication-entries", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://fetch.spec.whatwg.org/#authentication-entries"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "follow-redirects_project", "product": "follow-redirects", "cpes": ["cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.15.6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-02T19:45:25.235625Z", "id": "CVE-2024-28849", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T19:46:22.123Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp", "name": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/psf/requests/issues/1885", "name": "https://github.com/psf/requests/issues/1885", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b", "name": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://hackerone.com/reports/2390009", "name": "https://hackerone.com/reports/2390009", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://fetch.spec.whatwg.org/#authentication-entries", "name": "https://fetch.spec.whatwg.org/#authentication-entries", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:56:58.148Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28849", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-02T19:45:25.235625Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:*"], "vendor": "follow-redirects_project", "product": "follow-redirects", "versions": [{"status": "affected", "version": "0", "lessThan": "1.15.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T19:46:17.031Z"}}], "cna": {"title": "Proxy-Authorization header kept across hosts in follow-redirects", "source": {"advisory": "GHSA-cxjh-pqwp-8mfp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "follow-redirects", "product": "follow-redirects", "versions": [{"status": "affected", "version": "< 1.15.6"}]}], "references": [{"url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp", "name": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/psf/requests/issues/1885", "name": "https://github.com/psf/requests/issues/1885", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b", "name": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/2390009", "name": "https://hackerone.com/reports/2390009", "tags": ["x_refsource_MISC"]}, {"url": "https://fetch.spec.whatwg.org/#authentication-entries", "name": "https://fetch.spec.whatwg.org/#authentication-entries", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/"}], "descriptions": [{"lang": "en", "value": "follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-14T17:07:27.338Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28849", "state": "PUBLISHED", "dateUpdated": "2024-08-02T19:46:22.123Z", "dateReserved": "2024-03-11T22:45:07.685Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-14T17:07:27.338Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "follow-redirects es un reemplazo directo de c\u00f3digo abierto para los m\u00f3dulos `http` y `https` de Node que sigue autom\u00e1ticamente las redirecciones. En las versiones afectadas, follow-redirects solo borra el encabezado de autorizaci\u00f3n durante el redireccionamiento entre dominios, pero mantiene el encabezado de autenticaci\u00f3n de proxy que tambi\u00e9n contiene las credenciales. Esta vulnerabilidad puede provocar una fuga de credenciales, pero se solucion\u00f3 en la versi\u00f3n 1.15.6. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-28849", "lastModified": "2024-11-21T09:07:02.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-14T17:15:52.097", "references": [{"source": "security-advisories@github.com", "url": "https://fetch.spec.whatwg.org/#authentication-entries"}, {"source": "security-advisories@github.com", "url": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b"}, {"source": "security-advisories@github.com", "url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"}, {"source": "security-advisories@github.com", "url": "https://github.com/psf/requests/issues/1885"}, {"source": "security-advisories@github.com", "url": "https://hackerone.com/reports/2390009"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://fetch.spec.whatwg.org/#authentication-entries"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/psf/requests/issues/1885"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://hackerone.com/reports/2390009"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3550", "cpe": "cpe:/a:redhat:rhboac_hawtio:4.0.0", "package": "follow-redirects", "product_name": "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3920", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "follow-redirects", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:3989", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-ui-rhel9:6.2.3-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:3989", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.3-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:3316", "cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package": "mta/mta-cli-rhel9:7.0.3-16", "product_name": "MTA-7.0-RHEL-9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3316", "cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package": "mta/mta-ui-rhel9:7.0.3-13", "product_name": "MTA-7.0-RHEL-9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHBA-2024:2862", "cpe": "cpe:/a:redhat:multicluster_engine:2.5::el8", "package": "multicluster-engine/console-mce-rhel9:v2.5.3-7", "product_name": "multicluster engine for Kubernetes 2.5 for RHEL 9", "release_date": "2024-05-15T00:00:00Z"}, {"advisory": "RHBA-2024:2862", "cpe": "cpe:/a:redhat:multicluster_engine:2.5::el8", "package": "multicluster-engine/multicluster-engine-console-mce-rhel9:v2.5.3-7", "product_name": "multicluster engine for Kubernetes 2.5 for RHEL 9", "release_date": "2024-05-15T00:00:00Z"}, {"advisory": "RHSA-2024:3868", "cpe": "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package": "network-observability/network-observability-cli-rhel9:v1.6.0-66", "product_name": "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date": "2024-06-17T00:00:00Z"}, {"advisory": "RHSA-2024:3868", "cpe": "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package": "network-observability/network-observability-console-plugin-rhel9:v1.6.0-66", "product_name": "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date": "2024-06-17T00:00:00Z"}, {"advisory": "RHSA-2024:3868", "cpe": "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package": "network-observability/network-observability-ebpf-agent-rhel9:v1.6.0-66", "product_name": "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date": "2024-06-17T00:00:00Z"}, {"advisory": "RHSA-2024:3868", "cpe": "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package": "network-observability/network-observability-flowlogs-pipeline-rhel9:v1.6.0-66", "product_name": "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date": "2024-06-17T00:00:00Z"}, {"advisory": "RHSA-2024:3868", "cpe": "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package": "network-observability/network-observability-operator-bundle:1.6.0-78", "product_name": "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date": "2024-06-17T00:00:00Z"}, {"advisory": "RHSA-2024:3868", "cpe": "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package": "network-observability/network-observability-rhel9-operator:v1.6.0-66", "product_name": "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date": "2024-06-17T00:00:00Z"}, {"advisory": "RHBA-2024:2034", "cpe": "cpe:/a:redhat:acm:2.10::el9", "package": "rhacm2/console-rhel9:v2.10.2-3", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9", "release_date": "2024-04-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-collector-slim-rhel8:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.5.0-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.5.0-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.0-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4836", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.0-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "automation-hub-0:4.9.2-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-galaxy-ng-0:4.9.2-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "automation-hub-0:4.9.2-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-galaxy-ng-0:4.9.2-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:7164", "cpe": "cpe:/a:redhat:rhmt:1.8::el8", "package": "rhmtc/openshift-migration-ui-rhel8:v1.8.4-10", "product_name": "Red Hat Migration Toolkit for Containers 1.8", "release_date": "2024-09-26T00:00:00Z"}, {"advisory": "RHSA-2024:0041", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-monitoring-plugin-rhel9:v4.16.0-202406140306.p0.gf1fc431.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-06-27T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/dex-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/kam-delivery-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el9", "package": "openshift-gitops-argocd-rhel9-container-v1.12.6-1", "product_name": "Red Hat OpenShift GitOps 1.12 - RHEL 9", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/grafana-rhel8:2.5.1-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.5.1-8", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-must-gather-rhel8:2.5.1-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-rhel8-operator:2.5.1-7", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-ossmc-rhel8:1.73.7-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-rhel8:1.73.7-5", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-rhel8-operator:1.73.7-4", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/pilot-rhel8:2.5.1-8", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.5.1-8", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.5.1-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/cluster-logging-operator-bundle:v5.8.5-17", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/cluster-logging-rhel9-operator:v5.8.5-7", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/elasticsearch6-rhel9:v6.8.1-401", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/elasticsearch-operator-bundle:v5.8.5-7", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/elasticsearch-proxy-rhel9:v1.0.0-471", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/elasticsearch-rhel9-operator:v5.8.5-3", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/eventrouter-rhel9:v0.4.0-236", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/fluentd-rhel9:v5.8.5-3", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-216", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/logging-curator5-rhel9:v5.8.1-462", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/logging-loki-rhel9:v2.9.4-22", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/logging-view-plugin-rhel9:v5.8.5-4", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/loki-operator-bundle:v5.8.5-23", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/loki-rhel9-operator:v5.8.5-12", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/lokistack-gateway-rhel9:v0.1.0-497", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/opa-openshift-rhel9:v0.1.0-211", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1474", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/vector-rhel9:v0.28.1-56", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:1609", "cpe": "cpe:/a:redhat:cluster_observability_operator:1.0::el8", "package": "registry.redhat.io/cluster-observability-operator/cluster-observability-rhel8-operator:sha256:47d961fc88adbc2b0cd49cca5215632f31bcc023ccc223147492d6de78f3c51f", "product_name": "Cluster Observability Operator 1.0.0", "release_date": "2025-02-17T00:00:00Z"}], "bugzilla": {"description": "follow-redirects: Possible credential leak", "id": "2269576", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269576"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, `follow-redirects` clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a high impact on data confidentiality."], "name": "CVE-2024-28849", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Fix deferred", "package_name": "follow-redirects", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Affected", "package_name": "follow-redirects", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Will not fix", "package_name": "workload-availability/node-remediation-console-rhel8", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Will not fix", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "follow-redirects", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:discovery:1", "fix_state": "Not affected", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/nmstate-console-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/odf-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Will not fix", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Will not fix", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "nodejs-redhat-cloud-services-frontend-components", "product_name": "Red Hat Satellite 6"}], "public_date": "2024-03-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-28849\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-28849\nhttps://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"], "threat_severity": "Moderate"}