Refine your search
3 vulnerabilities found for by follow-redirects
CVE-2024-28849 (GCVE-0-2024-28849)
Vulnerability from cvelistv5
Published
2024-03-14 17:07
Modified
2025-02-13 17:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| follow-redirects | follow-redirects |
Version: < 1.15.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:56:58.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"
},
{
"name": "https://github.com/psf/requests/issues/1885",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/psf/requests/issues/1885"
},
{
"name": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b"
},
{
"name": "https://hackerone.com/reports/2390009",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/2390009"
},
{
"name": "https://fetch.spec.whatwg.org/#authentication-entries",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fetch.spec.whatwg.org/#authentication-entries"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "follow-redirects",
"vendor": "follow-redirects_project",
"versions": [
{
"lessThan": "1.15.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28849",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T19:45:25.235625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T19:46:22.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "follow-redirects",
"vendor": "follow-redirects",
"versions": [
{
"status": "affected",
"version": "\u003c 1.15.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "follow-redirects is an open source, drop-in replacement for Node\u0027s `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-23T03:06:02.341Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"
},
{
"name": "https://github.com/psf/requests/issues/1885",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/psf/requests/issues/1885"
},
{
"name": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b"
},
{
"name": "https://hackerone.com/reports/2390009",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2390009"
},
{
"name": "https://fetch.spec.whatwg.org/#authentication-entries",
"tags": [
"x_refsource_MISC"
],
"url": "https://fetch.spec.whatwg.org/#authentication-entries"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/"
}
],
"source": {
"advisory": "GHSA-cxjh-pqwp-8mfp",
"discovery": "UNKNOWN"
},
"title": "Proxy-Authorization header kept across hosts in follow-redirects"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28849",
"datePublished": "2024-03-14T17:07:27.338Z",
"dateReserved": "2024-03-11T22:45:07.685Z",
"dateUpdated": "2025-02-13T17:47:32.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0536 (GCVE-0-2022-0536)
Vulnerability from cvelistv5
Published
2022-02-09 10:45
Modified
2024-08-02 23:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
Summary
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| follow-redirects | follow-redirects/follow-redirects |
Version: unspecified < 1.14.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.161Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "follow-redirects/follow-redirects",
"vendor": "follow-redirects",
"versions": [
{
"lessThan": "1.14.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\u003c/p\u003e"
}
],
"value": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T08:48:13.471Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"
}
],
"source": {
"advisory": "7cf2bf90-52da-4d59-8028-a73b132de0db",
"discovery": "EXTERNAL"
},
"title": "Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0536",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects/follow-redirects"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "follow-redirects/follow-redirects",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.14.8"
}
]
}
}
]
},
"vendor_name": "follow-redirects"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"
},
{
"name": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445",
"refsource": "MISC",
"url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"
}
]
},
"source": {
"advisory": "7cf2bf90-52da-4d59-8028-a73b132de0db",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0536",
"datePublished": "2022-02-09T10:45:10.000Z",
"dateReserved": "2022-02-08T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:32:46.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0155 (GCVE-0-2022-0155)
Vulnerability from cvelistv5
Published
2022-01-10 19:30
Modified
2024-08-02 23:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Summary
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| follow-redirects | follow-redirects/follow-redirects |
Version: unspecified < 1.14.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.041Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "follow-redirects/follow-redirects",
"vendor": "follow-redirects",
"versions": [
{
"lessThan": "1.14.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T11:06:25.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"source": {
"advisory": "fc524e4b-ebb6-427d-ab67-a64181020406",
"discovery": "EXTERNAL"
},
"title": "Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects/follow-redirects",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0155",
"STATE": "PUBLIC",
"TITLE": "Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects/follow-redirects"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "follow-redirects/follow-redirects",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.14.7"
}
]
}
}
]
},
"vendor_name": "follow-redirects"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406"
},
{
"name": "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22",
"refsource": "MISC",
"url": "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
]
},
"source": {
"advisory": "fc524e4b-ebb6-427d-ab67-a64181020406",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0155",
"datePublished": "2022-01-10T19:30:10.000Z",
"dateReserved": "2022-01-07T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:42.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}