Bug 1896130 (CVE-2020-28168)
| Summary: | CVE-2020-28168 nodejs-axios: allows an attacker to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aos-bugs, bmontgom, eparis, gghezzo, gparvin, jburrell, jhadvig, jokerman, jramanat, jshaughn, jweiser, jwendell, nstielau, rcernich, sponnaga, stcannon, thee, twalsh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in nodejs-axios. The Axios NPM package contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-28 01:40:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1896242, 1896243, 1896664, 1899547, 1981689 | ||
| Bug Blocks: | 1896131 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-11-09 19:20:04 UTC
External References: https://snyk.io/vuln/SNYK-JS-AXIOS-1038255 Statement: Whilst in OpenShift Container Platform (OCP) the openshift4/ose-console container does include the vulnerable axios library, it does not use the vulnerable proxy functionality. Additionally, the console is behind OpenShift OAuth restricting access to authenticated users only and as such has been marked as Low impact. The OpenShift Service Mesh (OSSM) kiali component also includes the vulnerable axios library. Similar to OCP, kiali does not make use of the proxy function and is behind OpenShift OAuth reducing the impact Low. For the grafana containers in OpenShift and Service Mesh, axios is included only as a dev dependency:
"devDependencies": {
....
"axios": "0.19.2",
and in grafana toolkit, yarn why axios:
=> Found "axios.2"
info Has been hoisted to "axios"
info Reasons this module exists
- "workspace-aggregator-d137911f-b3b8-48ba-a924-5b580d8a5509" depends on it
- Specified in "devDependencies"
- Hoisted from "_project_#axios"
- Hoisted from "_project_#@grafana#toolkit#axios"
info Disk size without dependencies: "488KB"
info Disk size with unique dependencies: "636KB"
info Disk size with transitive dependencies: "760KB"
info Number of shared dependencies: 3
=> Found "@chromaui/localtunnel#axios.0"
info This module exists because "_project_#@grafana#ui#@storybook#addon-actions#react-inspector#storybook-
chromatic#@chromaui#localtunnel" depends on it.
Done in 1.84s.
Confirmed also looking at the grafana container itself.
The openshift3/ose-web-console does not include the axios dependency at all, only found in openshift4/ose-console in 4.6+, but still does not use the vulnerable function, but calls the proxy url directly not utilizing the proxy function of axios. For example:
method: 'POST',
url: CDI_UPLOAD_URL_BUILDER(uploadProxyURL),
data: form,
cancelToken: cancelSource.token,
Instead of using "proxy: { host: , port: } "
Mitigation: A mitigation exists where by catching the error code returned by axios.request, it can be identified that there is a redirect. By updating the old request config with the new redirect path, the request can then be repeated with the traffic routed through the proxy. As identified by Marika in this GitHub comment: https://github.com/axios/axios/issues/3369#issuecomment-721748989. |