UBUNTU-CVE-2022-31151

Source
https://ubuntu.com/security/CVE-2022-31151
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31151.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-31151
Related
Published
2022-07-21T04:15:00Z
Modified
2024-10-15T14:09:58Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. maxRedirections: 0 (the default).

References

Affected packages

Ubuntu:24.10 / node-undici

Package

Name
node-undici
Purl
pkg:deb/ubuntu/node-undici?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.26.3+dfsg1+~cs23.10.12-2
5.28.2+dfsg1+~cs23.11.12.3-6ubuntu2
5.28.4+dfsg1+~cs23.12.11-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / node-undici

Package

Name
node-undici
Purl
pkg:deb/ubuntu/node-undici?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.22.1+dfsg1+~cs20.10.10.2-1ubuntu1
5.26.3+dfsg1+~cs23.10.12-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}