{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-30260", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-26T12:52:00.934Z", "datePublished": "2024-04-04T15:15:44.653Z", "dateUpdated": "2025-02-13T17:47:47.503Z"}, "containers": {"cna": {"title": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"}, {"name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"}, {"name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"}], "affected": [{"vendor": "nodejs", "product": "undici", "versions": [{"version": "< 5.28.4", "status": "affected"}, {"version": ">= 6.0.0, < 6.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-19T23:06:41.342Z"}, "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."}], "source": {"advisory": "GHSA-m4v8-wqvr-p9f7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-30260", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-05T13:43:37.003793Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:38:49.201Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:32:05.438Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"}, {"name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"}, {"name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", "name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", "name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", "name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:32:05.438Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-30260", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-05T13:43:37.003793Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:22.163Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline", "source": {"advisory": "GHSA-m4v8-wqvr-p9f7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "nodejs", "product": "undici", "versions": [{"status": "affected", "version": "< 5.28.4"}, {"status": "affected", "version": ">= 6.0.0, < 6.11.1"}]}], "references": [{"url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", "name": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", "name": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", "name": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"}], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T15:15:44.653Z"}}}, "cveMetadata": {"cveId": "CVE-2024-30260", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:32:05.438Z", "dateReserved": "2024-03-26T12:52:00.934Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-04T15:15:44.653Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "27A8308B-0EB3-454E-A010-12138A99119D", "versionEndExcluding": "5.28.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "89E57BC8-475F-4BE0-8BB4-285512F8D177", "versionEndExcluding": "6.11.1", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."}, {"lang": "es", "value": "Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Undici borr\u00f3 los encabezados Authorization y Proxy-Authorization para `fetch()`, pero no los borr\u00f3 para `undici.request()`. Esta vulnerabilidad fue parcheada en las versiones 5.28.4 y 6.11.1."}], "id": "CVE-2024-30260", "lastModified": "2025-02-13T18:17:58.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-04T16:15:08.877", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/dashboard-rhel8:3.16-27", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}], "bugzilla": {"description": "nodejs-undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline", "id": "2273522", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273522"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-285", "details": ["Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.", "A flaw was found in the nodejs-undici package. Proxy-Authorization headers are not cleared on cross-origin redirects, which can allow for the exposure of sensitive data or allow an attacker to capture the persistent proxy-authentication header."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-30260", "public_date": "2024-04-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-30260\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-30260"], "threat_severity": "Low"}