Bug 2053259 (CVE-2022-0536)

Summary: CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
Product: [Other] Security Response Reporter: Todd Cullum <tcullum>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, agerstmayr, aileenc, alazarot, amctagga, amuller, andrew.slice, anharris, anpicker, anstephe, aos-bugs, bcoca, bdettelb, bibryam, bmontgom, bniver, bodavis, boliveir, chazlett, cheese, cmeyers, davidn, dbhole, drieden, dwhatley, dymurray, ellin, emingora, eparis, eric.wittmann, erooth, etirelli, extras-orphan, fboucher, flucifre, gblomqui, gmalinko, gmeno, go-sig, gparvin, grafana-maint, hbraun, huzaifas, ibek, ibolton, janstey, jburrell, jcammara, jhadvig, jhardy, jmatthew, jmontleo, jnethert, jobarker, jochrist, jokerman, jramanat, jrokos, jross, jschatte, jshaughn, jstastny, jwendell, jwon, kanderso, kaycoth, krathod, kverlaen, lemenkov, link, lvaleeva, mabashia, mbenjamin, mhackett, michal.skrivanek, mnovotny, mperina, mwringe, nathans, nboldt, njean, notting, nstielau, omajid, openstack-sig, osapryki, oskutka, pabelanger, pahickey, pantinor, pdelbell, pdrozd, pjindal, ploffay, rareddy, rcernich, rebus, relrod, rfreiman, rgarg, rgodfrey, rguimara, rpetrell, rrajasek, rwagner, sbonazzo, scorneli, sdoran, sgratch, shbose, slucidi, smcdonal, sostapov, spasquie, sponnaga, sseago, stcannon, sthirugn, sthorger, stjepan.gros, tkral, tkuratom, twalsh, tzimanyi, ubhargav, vereddy, vkrizan, vkumar, vmugicag, xavier, zebob.m
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: follow-redirects 1.14.8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-05 23:45:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2062720, 2054828, 2054829, 2054831, 2054832, 2054833, 2054834, 2054835, 2056112, 2056113, 2056114, 2062721, 2062722, 2062723, 2062724, 2062725, 2062726, 2062727, 2062728, 2062729, 2062730, 2062731, 2062732, 2062733, 2062991, 2062992, 2063271, 2063272, 2063273, 2063274, 2065517, 2065520, 2073221, 2074229, 2074231, 2076703, 2113055, 2159179    
Bug Blocks: 2053261    

Description Todd Cullum 2022-02-10 19:25:27 UTC 
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8 via Authorization Header leak.

References:

https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db
https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445
Comment 7 Avinash Hanwate 2022-03-10 12:29:31 UTC 
Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2062721]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2062722]


Created golang-github-cockroachdb-cockroach tracking bugs for this issue:

Affects: fedora-all [bug 2062723]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2062724]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2062725]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2062720]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2062726]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2062727]


Created openvas-gsa tracking bugs for this issue:

Affects: fedora-all [bug 2062728]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2062729]
Comment 19 errata-xmlrpc 2022-03-28 19:36:36 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1083 https://access.redhat.com/errata/RHSA-2022:1083
Comment 20 juneau 2022-04-11 19:36:51 UTC 
services-assisted-installer/facet:077f828/follow-redirects-1.14.7 https://github.com/openshift-assisted/assisted-ui/blob/master/yarn.lock

services-compliance/compliance/compliance-frontend:5aa9b1f/follow-redirects-1.14.7 https://github.com/RedHatInsights/compliance-frontend/blob/master/package-lock.json

services-openshift-cluster-manager/ocm/uhc-portal:2e62632/follow-redirects-1.13.3 https://gitlab.cee.redhat.com/service/uhc-portal/blob/master/yarn.lock
services-openshift-cluster-manager/ocm/uhc-portal:2e62632/follow-redirects-1.14.6 https://gitlab.cee.redhat.com/service/uhc-portal/blob/master/yarn.lock
services-openshift-cluster-manager/ocm/uhc-portal:2e62632/follow-redirects-1.5.10 https://gitlab.cee.redhat.com/service/uhc-portal/blob/master/yarn.lock
Comment 25 errata-xmlrpc 2022-04-20 23:46:27 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476
Comment 27 errata-xmlrpc 2022-05-03 16:43:25 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
Comment 28 errata-xmlrpc 2022-05-05 02:38:53 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1715 https://access.redhat.com/errata/RHSA-2022:1715
Comment 29 errata-xmlrpc 2022-05-05 18:02:44 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739
Comment 30 Product Security DevOps Team 2022-05-05 23:45:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0536
Comment 31 errata-xmlrpc 2022-06-28 17:05:59 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7

Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392
Comment 32 errata-xmlrpc 2022-07-01 09:52:55 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:5483 https://access.redhat.com/errata/RHSA-2022:5483
Comment 35 errata-xmlrpc 2022-08-24 13:46:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 36 errata-xmlrpc 2022-10-06 12:27:09 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835
Comment 37 errata-xmlrpc 2022-10-19 12:57:04 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.6

Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055