thinx-device-api icon indicating copy to clipboard operation
thinx-device-api copied to clipboard
verified publisher icon suculent

Fix CVE–2024–28849

Open debricked[bot] opened this issue 1 year ago • 0 comments

CVE–2024–28849

Vulnerability details

Description

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

NVD

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

GitHub

follow-redirects' Proxy-Authorization header kept across hosts

When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

axios Test Code

const axios = require('axios');

axios.get('http://127.0.0.1:10081/',{ headers: { 'AuThorization': 'Rear Test', 'ProXy-AuthoriZation': 'Rear Test', 'coOkie': 't=1' } }).then(function (response) { console.log(response); }) When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Request sent by axios

image-20240314130755052.png Request sent by follow-redirects after redirectimage-20240314130809838.png

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect Recommended Patch

follow-redirects/index.js:464

removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); change to

removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers); Ref

https://fetch.spec.whatwg.org/#authentication-entries https://hackerone.com/reports/2390009

CVSS details - 6.5

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
References

    NVD - CVE-2024-28849
    THIRD PARTY
    Drop Proxy-Authorization across hosts. · follow-redirects/follow-redirects@c4f847f · GitHub
    Fetch Standard
    Redirect can expose netrc password · Issue #1885 · psf/requests · GitHub
    Proxy-Authorization header kept across hosts · Advisory · follow-redirects/follow-redirects · GitHub
    HackerOne
    [SECURITY] Fedora 40 Update: pgadmin4-8.4-2.fc40 - package-announce - Fedora Mailing-Lists

 

Related information

:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE

 

debricked[bot] avatar Mar 28 '24 18:03 debricked[bot]