Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE–2024–28849 #470

Conversation

debricked[bot]
Copy link
Contributor

@debricked debricked bot commented Mar 28, 2024

CVE–2024–28849

Vulnerability details

Description

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

NVD

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

GitHub

follow-redirects' Proxy-Authorization header kept across hosts

When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

axios Test Code

const axios = require('axios');

axios.get('http://127.0.0.1:10081/',{
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
}).then(function (response) {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Request sent by axios

image-20240314130755052.png
Request sent by follow-redirects after redirectimage-20240314130809838.png

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect
Recommended Patch

follow-redirects/index.js:464

removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
change to

removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
Ref

https://fetch.spec.whatwg.org/#authentication-entries
https://hackerone.com/reports/2390009

CVSS details - 6.5

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
References

    NVD - CVE-2024-28849
    THIRD PARTY
    Drop Proxy-Authorization across hosts. · follow-redirects/follow-redirects@c4f847f · GitHub
    Fetch Standard
    Redirect can expose netrc password · Issue #1885 · psf/requests · GitHub
    Proxy-Authorization header kept across hosts · Advisory · follow-redirects/follow-redirects · GitHub
    HackerOne
    [SECURITY] Fedora 40 Update: pgadmin4-8.4-2.fc40 - package-announce - Fedora Mailing-Lists

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

@dependabot dependabot bot deleted the branch dependabot/npm_and_yarn/express-4.19.2 October 24, 2024 21:08
@dependabot dependabot bot closed this Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants