undici-5.7.0.tgz: 4 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-bolt-for-github]

Vulnerable Library - undici-5.7.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-35948	High	9.8	undici-5.7.0.tgz	Direct	5.8.2	❌
CVE-2022-35949	High	9.8	undici-5.7.0.tgz	Direct	undici - 5.8.2	❌
CVE-2022-31151	Medium	6.5	undici-5.7.0.tgz	Direct	5.8.0	❌
CVE-2022-31150	Medium	6.5	undici-5.7.0.tgz	Direct	5.8.0	❌

Details

CVE-2022-35948

Vulnerable Library - undici-5.7.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• ❌ undici-5.7.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js.=< undici@5.8.0 users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) The above snippet will perform two requests in a single request API call: 1) http://localhost:3000/ 2) http://localhost:3000/foo2 This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

Publish Date: 2022-08-15

URL: CVE-2022-35948

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35948

Release Date: 2022-08-15

Fix Resolution: 5.8.2

Step up your Open Source Security Game with Mend here

CVE-2022-35949

Vulnerable Library - undici-5.7.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• ❌ undici-5.7.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1. If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in undici@5.8.1. The best workaround is to validate user input before passing it to the undici.request call.

Publish Date: 2022-08-12

URL: CVE-2022-35949

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949

Release Date: 2022-08-12

Fix Resolution: undici - 5.8.2

Step up your Open Source Security Game with Mend here

CVE-2022-31151

Vulnerable Library - undici-5.7.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• ❌ undici-5.7.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. maxRedirections: 0 (the default).

Publish Date: 2022-07-21

URL: CVE-2022-31151

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q768-x9m6-m9qp

Release Date: 2022-07-21

Fix Resolution: 5.8.0

Step up your Open Source Security Game with Mend here

CVE-2022-31150

Vulnerable Library - undici-5.7.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• ❌ undici-5.7.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.

Publish Date: 2022-07-19

URL: CVE-2022-31150

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31150

Release Date: 2022-07-19

Fix Resolution: 5.8.0

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.