CVE-2024-30260
published 2024-04-04CVE-2024-30260: Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear…
medium4.3CVSS 3.1
AVNACLPRHUIRSUCLILAL
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-undici | < node-undici 5.28.4+dfsg1+~cs23.12.11-1 (forky) | node-undici 5.28.4+dfsg1+~cs23.12.11-1 (forky) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| hapi | wreck | >= 0 < 18.1.1 | 18.1.1 |
| msrc | azl3_nodejs_20.10.0-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_nodejs_20.14.0-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_nodejs18_18.18.2-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs18_18.20.2-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| nodejs | undici | < 5.28.4 | 5.28.4 |
| nodejs | undici | — | — |
| nodejs | undici | >= 0 < 5.28.4 | 5.28.4 |
| nodejs | undici | >= 6.0.0 < 6.11.1 | 6.11.1 |
| nodejs | undici | >= 6.0.0 < 6.11.1 | 6.11.1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
ghsa4.3MEDIUM
osv4.3MEDIUM