Debian Bug report logs -
#1053879
node-undici: CVE-2023-45143
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#1053879
; Package src:node-undici
.
(Fri, 13 Oct 2023 13:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Fri, 13 Oct 2023 13:27:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-undici
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-undici.
CVE-2023-45143[0]:
| Undici is an HTTP/1.1 client written from scratch for Node.js. Prior
| to version 5.26.2, Undici already cleared Authorization headers on
| cross-origin redirects, but did not clear `Cookie` headers. By
| design, `cookie` headers are forbidden request headers, disallowing
| them to be set in RequestInit.headers in browser environments. Since
| undici handles headers more liberally than the spec, there was a
| disconnect from the assumptions the spec made, and undici's
| implementation of fetch. As such this may lead to accidental leakage
| of cookie to a third-party site or a malicious attacker who can
| control the redirection target (ie. an open redirector) to leak the
| cookie to the third party site. This was patched in version 5.26.2.
| There are no known workarounds.
https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45143
https://www.cve.org/CVERecord?id=CVE-2023-45143
Please adjust the affected versions in the BTS as needed.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Oct 13 17:53:43 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.