Bug 2044591 (CVE-2022-0235)

Summary: CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, afm404, agerstmayr, aileenc, akostadi, alazarot, alcohan, amackenz, amasferr, amctagga, amulhern, andrew.slice, anharris, anjoseph, anpicker, anstephe, anthomas, aoconnor, aos-bugs, aprice, asoldano, atangrin, aveerama, bbaranow, bbennett, bbuckingham, bcourt, bmaxwell, bmontgom, bniver, bodavis, brian.stansberry, btarraso, btotty, candlepin-bugs, caswilli, cbartlet, cdewolf, chazlett, cheese, cmiranda, crizzo, crummel, dan.cermak, darran.lofthouse, dbhole, dfreiber, dhanak, dkreling, dmayorov, dosoudil, dotnet-packagers, drieden, drow, dwhatley, dymurray, ecerquei, eclipseo, ehelms, eleandro, emachado, emingora, eparis, erack, eric.wittmann, etamir, extras-orphan, fboucher, fjansen, fjuma, flucifre, fmongiar, francisco.vergarat, fzatlouk, ganandan, gecko-bugs-nobody, ggainey, gmalinko, gmeno, go-sig, gotiwari, gparvin, grafana-maint, harold, hbraun, hhorak, hkataria, huzaifas, hvyas, ibek, ibolton, istudens, ivassile, iweiss, janstey, jburrell, jcajka, jchecahi, jdobes, jhadvig, jhorak, jistone, jkozol, jlledo, jmatthew, jmontleo, jnethert, jnovy, jochrist, jokerman, jorton, jpadman, jpallich, jperkins, jprabhak, jramanat, jrokos, jross, jsamir, jschatte, jsherril, jstastny, juwatts, jvasik, jwendell, jwong, jwon, kai-engert-fedora, kanderso, kaycoth, klaas, klember, krathod, kshier, kverlaen, kwills, lchilton, ldap-maint, lemenkov, lgao, lmohanty, lsm5, lvaleeva, lzap, madam, mail, manissin, mattias.ellert, mbenjamin, mdogra, mhackett, mhulan, michal.skrivanek, mkudlej, mmakovy, mnewsome, mnovotny, mosmerov, mperina, mpitt, mrunge, msochure, msvehla, mvyas, mwringe, myarboro, nathans, nbecker, nipatil, njean, nmoumoul, nobody, nodejs-maint, nodejs-sig, nstielau, nwallace, ocs-bugs, oezr, omachace, omajid, openstack-sig, orabin, oskutka, osousa, ovanders, owatkins, pahickey, pantinor, pcongius, pcreech, pdelbell, pesilva, pgaikwad, pjasicek, pjindal, ploffay, pmackay, porcelli, psegedy, pvalena, rareddy, rblanco, rcernich, rchan, rebus, rfreiman, rgodfrey, rguimara, rhaigner, rh.container.bot, rhughes, rjohnson, rkubis, rrajasek, rstancel, rstepani, rstrode, rsvoboda, ruby-packagers-sig, rwagner, sandmann, santiago, sbonazzo, scorneli, sd-operator-metering, sfeifer, sgallagh, sipoyare, slucidi, smaestri, smallamp, sostapov, spasquie, sponnaga, sseago, stcannon, sthirugn, stjepan.gros, stransky, strzibny, tcarlin, tflannag, thrcka, TicoTimo, tjochec, tkasparek, tom.jenkinson, tpopela, trpost, tsasak, tstellar, twalsh, vereddy, vkrizan, vkumar, vmugicag, vondruch, wtam, yborgess, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: node-fetch 2.6.7, node-fetch 3.1.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized actor.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-02 18:55:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2061806, 2061807, 2044738, 2048420, 2048421, 2048422, 2048423, 2048424, 2048425, 2048426, 2048427, 2048428, 2049032, 2050897, 2058422, 2061808, 2061809, 2061810, 2061811, 2061812, 2061813, 2061814, 2061815, 2061816, 2061817, 2061818, 2061819, 2061820, 2061821, 2061822, 2061823, 2061824, 2061825, 2061826, 2061827, 2061828, 2061829, 2061830, 2061831, 2061893, 2061894, 2061895, 2061896, 2061897, 2061898, 2061899, 2061900, 2061901, 2061902, 2061903, 2061905, 2061906, 2061907, 2061908, 2061909, 2061910, 2061911, 2061912, 2061913, 2061914, 2061915, 2062383, 2063002, 2063003, 2063004, 2063005, 2063006, 2063007, 2063008, 2063009, 2063010, 2065486, 2065492, 2068426, 2068427, 2076835, 2076837, 2079047, 2109693, 2120336, 2132713, 2132714    
Bug Blocks: 2044593    

Description Pedro Sampaio 2022-01-24 19:35:51 UTC 
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7
https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10
Comment 2 Cedric Buissart 2022-01-27 16:15:10 UTC 
Upstream PR:
https://github.com/node-fetch/node-fetch/pull/1449

Upstream fix:
https://github.com/node-fetch/node-fetch/commit/f5d3cf5e2579cb8f4c76c291871e69696aef8f80
Comment 6 errata-xmlrpc 2022-03-03 06:58:25 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735
Comment 8 Mauro Matteo Cascella 2022-03-08 15:29:19 UTC 
Created cockpit-composer tracking bugs for this issue:

Affects: fedora-all [bug 2061809]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2061810]


Created dotnet3.1 tracking bugs for this issue:

Affects: fedora-all [bug 2061811]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-all [bug 2061812]


Created golang-github-brocaar-chirpstack-api tracking bugs for this issue:

Affects: fedora-all [bug 2061813]


Created golang-github-cockroachdb-cockroach tracking bugs for this issue:

Affects: fedora-all [bug 2061814]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2061815]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2061816]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2061806]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2061817]


Created grpc tracking bugs for this issue:

Affects: fedora-all [bug 2061818]


Created icecat tracking bugs for this issue:

Affects: fedora-all [bug 2061819]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2061820]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2061821]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2061822]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2061823]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2061807]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2061824]


Created openvas-gsa tracking bugs for this issue:

Affects: fedora-all [bug 2061825]


Created pack tracking bugs for this issue:

Affects: fedora-all [bug 2061826]


Created python-drf-yasg tracking bugs for this issue:

Affects: epel-all [bug 2061808]
Affects: fedora-all [bug 2061827]


Created rust tracking bugs for this issue:

Affects: fedora-all [bug 2061828]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 2061829]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2061830]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2061831]
Comment 17 errata-xmlrpc 2022-03-28 19:36:30 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1083 https://access.redhat.com/errata/RHSA-2022:1083
Comment 20 errata-xmlrpc 2022-04-20 23:46:15 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476
Comment 21 Jan Werner 2022-04-26 19:05:11 UTC 
*** Bug 2048424 has been marked as a duplicate of this bug. ***
Comment 22 Jan Werner 2022-04-26 19:06:18 UTC 
*** Bug 2079047 has been marked as a duplicate of this bug. ***
Comment 23 errata-xmlrpc 2022-05-03 16:43:14 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
Comment 24 errata-xmlrpc 2022-05-05 02:38:53 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1715 https://access.redhat.com/errata/RHSA-2022:1715
Comment 25 errata-xmlrpc 2022-05-05 18:02:45 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739
Comment 31 errata-xmlrpc 2022-06-09 02:06:21 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
Comment 32 errata-xmlrpc 2022-06-28 17:05:58 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7

Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392
Comment 37 errata-xmlrpc 2022-07-01 09:52:43 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:5483 https://access.redhat.com/errata/RHSA-2022:5483
Comment 45 errata-xmlrpc 2022-08-10 10:34:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069
Comment 51 errata-xmlrpc 2022-08-24 13:46:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 52 Product Security DevOps Team 2022-09-02 18:55:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0235
Comment 53 errata-xmlrpc 2022-10-05 10:45:08 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
Comment 54 errata-xmlrpc 2022-10-06 12:26:53 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835
Comment 57 errata-xmlrpc 2022-11-17 13:40:12 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.0

Via RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524
Comment 58 errata-xmlrpc 2023-01-09 14:50:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050
Comment 59 errata-xmlrpc 2023-02-06 19:39:28 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612
Comment 60 errata-xmlrpc 2023-04-12 14:58:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742