Bug 2053259 (CVE-2022-0536)
Summary: | CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Todd Cullum <tcullum> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, agerstmayr, aileenc, alazarot, amctagga, amuller, andrew.slice, anharris, anpicker, anstephe, aos-bugs, bcoca, bdettelb, bibryam, bmontgom, bniver, bodavis, boliveir, chazlett, cheese, cmeyers, davidn, dbhole, drieden, dwhatley, dymurray, ellin, emingora, eparis, eric.wittmann, erooth, etirelli, extras-orphan, fboucher, flucifre, gblomqui, gmalinko, gmeno, go-sig, gparvin, grafana-maint, hbraun, huzaifas, ibek, ibolton, janstey, jburrell, jcammara, jhadvig, jhardy, jmatthew, jmontleo, jnethert, jobarker, jochrist, jokerman, jramanat, jrokos, jross, jschatte, jshaughn, jstastny, jwendell, jwon, kanderso, kaycoth, krathod, kverlaen, lemenkov, link, lvaleeva, mabashia, mbenjamin, mhackett, michal.skrivanek, mnovotny, mperina, mwringe, nathans, nboldt, njean, notting, nstielau, omajid, openstack-sig, osapryki, oskutka, pabelanger, pahickey, pantinor, pdelbell, pdrozd, pjindal, ploffay, rareddy, rcernich, rebus, relrod, rfreiman, rgarg, rgodfrey, rguimara, rpetrell, rrajasek, rwagner, sbonazzo, scorneli, sdoran, sgratch, shbose, slucidi, smcdonal, sostapov, spasquie, sponnaga, sseago, stcannon, sthirugn, sthorger, stjepan.gros, tkral, tkuratom, twalsh, tzimanyi, ubhargav, vereddy, vkrizan, vkumar, vmugicag, xavier, zebob.m |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | follow-redirects 1.14.8 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-05 23:45:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2062720, 2054828, 2054829, 2054831, 2054832, 2054833, 2054834, 2054835, 2056112, 2056113, 2056114, 2062721, 2062722, 2062723, 2062724, 2062725, 2062726, 2062727, 2062728, 2062729, 2062730, 2062731, 2062732, 2062733, 2062991, 2062992, 2063271, 2063272, 2063273, 2063274, 2065517, 2065520, 2073221, 2074229, 2074231, 2076703, 2113055, 2159179 | ||
Bug Blocks: | 2053261 |
Description
Todd Cullum
2022-02-10 19:25:27 UTC
Created cockatrice tracking bugs for this issue: Affects: fedora-all [bug 2062721] Created couchdb tracking bugs for this issue: Affects: fedora-all [bug 2062722] Created golang-github-cockroachdb-cockroach tracking bugs for this issue: Affects: fedora-all [bug 2062723] Created golang-github-hashicorp-consul-api tracking bugs for this issue: Affects: fedora-all [bug 2062724] Created golang-github-hashicorp-consul-sdk tracking bugs for this issue: Affects: fedora-all [bug 2062725] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2062720] Created golang-vitess tracking bugs for this issue: Affects: fedora-all [bug 2062726] Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2062727] Created openvas-gsa tracking bugs for this issue: Affects: fedora-all [bug 2062728] Created zuul tracking bugs for this issue: Affects: fedora-all [bug 2062729] This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:1083 https://access.redhat.com/errata/RHSA-2022:1083 services-assisted-installer/facet:077f828/follow-redirects-1.14.7 https://github.com/openshift-assisted/assisted-ui/blob/master/yarn.lock services-compliance/compliance/compliance-frontend:5aa9b1f/follow-redirects-1.14.7 https://github.com/RedHatInsights/compliance-frontend/blob/master/package-lock.json services-openshift-cluster-manager/ocm/uhc-portal:2e62632/follow-redirects-1.13.3 https://gitlab.cee.redhat.com/service/uhc-portal/blob/master/yarn.lock services-openshift-cluster-manager/ocm/uhc-portal:2e62632/follow-redirects-1.14.6 https://gitlab.cee.redhat.com/service/uhc-portal/blob/master/yarn.lock services-openshift-cluster-manager/ocm/uhc-portal:2e62632/follow-redirects-1.5.10 https://gitlab.cee.redhat.com/service/uhc-portal/blob/master/yarn.lock This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:1715 https://access.redhat.com/errata/RHSA-2022:1715 This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0536 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:5483 https://access.redhat.com/errata/RHSA-2022:5483 This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.11 on RHEL8 Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156 This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.6 Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055 |