CVE-2023-45143

CWE-200 — Information Exposure11 documents9 sources

Severity

3.5LOW

EPSS

0.1%

top 71.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Undici Fedoraproject Fedora

Timeline

PublishedOct 12

Latest updateOct 16

Description

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this m…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:LExploitability: 0.5 | Impact: 3.4

Affected Packages4 packages

▶CVEListV5nodejs/undici< 5.26.2

▶NVDnodejs/undici< 5.26.2

▶Debiannode-undici< 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2+2

▶npmundici< 5.26.2

Also affects: Fedora 37, 38, 39

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Undici's cookie header not cleared on cross-origin redirect in fetch↗2023-10-16

▶

OSV

Undici's cookie header not cleared on cross-origin redirect in fetch↗2023-10-16

▶

CVEList

Undici's cookie header not cleared on cross-origin redirect in fetch↗2023-10-12

▶

OSV

CVE-2023-45143: Undici is an HTTP/1↗2023-10-12

▶

📋Vendor Advisories

Red Hat

node-undici: cookie leakage↗2023-10-12

▶

Microsoft

Undici's cookie header not cleared on cross-origin redirect in fetch↗2023-10-10

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Endeca Application Controller (Apache Tomcat) — CVE-2022-45143↗2023-07-15

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Content Acquisition System, Workbench (Apache Tomcat) — CVE-2022-45143↗2023-04-15

▶

Debian

CVE-2023-45143: node-undici - Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version ...↗2023

▶