CVE-2022-32210

CWE-295 — Improper Certificate Validation6 documents5 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 67.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Undici Https: /github.com/nodejs/undici

Timeline

PublishedJul 14

Description

`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 2.2 | Impact: 4.2

Affected Packages4 packages

▶CVEListV5https://github.com/nodejs/undiciFixed in version >= v5.5.1. Vulnerable between v4.8.2 and v5.5.0

▶npmundici4.8.2 — 5.5.1

▶NVDnodejs/undici4.8.2 — 5.5.1

▶Debiannode-undici< 5.6.1+dfsg1+~cs18.9.16-1+2

🔴Vulnerability Details

OSV

CVE-2022-32210: `Undici↗2022-07-14

▶

CVEList

CVE-2022-32210: `Undici↗2022-07-14

▶

GHSA

ProxyAgent vulnerable to MITM↗2022-06-17

▶

OSV

ProxyAgent vulnerable to MITM↗2022-06-17

▶

📋Vendor Advisories

Debian

CVE-2022-32210: node-undici - `Undici.ProxyAgent` never verifies the remote server's certificate, and always e...↗2022

▶