CVE-2024-28849Sensitive Information Exposure in Follow-redirects

CWE-200Sensitive Information Exposure11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.9%
top 24.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Follow-redirectsFollow-redirects Project Follow-redirects
Timeline
PublishedMar 14
Latest updateJan 15

Description

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2024-28849: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects2024-03-14
GHSA
follow-redirects' Proxy-Authorization header kept across hosts2024-03-14
OSV
follow-redirects' Proxy-Authorization header kept across hosts2024-03-14
CVEList
Proxy-Authorization header kept across hosts in follow-redirects2024-03-14

📋Vendor Advisories

6
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (Apache Commons Configuration) — CVE-2024-288492025-01-15
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: Blockchain Cloud Service Console (follow-redirects) — CVE-2024-288492024-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Configuration (follow-redirects) — CVE-2024-288492024-07-15
Red Hat
follow-redirects: Possible credential leak2024-03-14
Microsoft
Proxy-Authorization header kept across hosts in follow-redirects2024-03-12
CVE-2024-28849 — Sensitive Information Exposure | cvebase