Bug 2076133 (CVE-2022-1365)

Summary: CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, amackenz, amasferr, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, dwhatley, dymurray, emingora, etirelli, fboucher, fjuma, ggaughan, gmalinko, go-sig, gparvin, ibek, ibolton, iweiss, janstey, jmatthew, jmontleo, jochrist, jramanat, jrokos, jstastny, jwendell, jwon, krathod, kverlaen, lgao, lmohanty, lthon, madam, mkudlej, mnovotny, mosmerov, msochure, msvehla, mszynkie, njean, nwallace, openstack-sig, oskutka, ovanders, pabelanger, pahickey, pdelbell, peholase, pgallagh, pjindal, pmackay, pvalena, rcernich, rguimara, rrajasek, rruss, rstancel, rsvoboda, ruby-packagers-sig, slucidi, smaestri, sseago, stcannon, strzibny, thrcka, tjochec, tkral, tom.jenkinson, twalsh, tzimanyi, vondruch, zebob.m
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cross-fetch 3.1.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the cross-fetch library when fetching a remote URL with a cookie when it gets to the Location response header. This flaw allows an attacker to hijack the account as the cookie is leaked.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-03 20:46:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2076223, 2079141, 2079142, 2079143, 2079144    
Bug Blocks: 2076135    

Description Sandipan Roy 2022-04-18 04:00:28 UTC 
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.

https://github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a
https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac
Comment 5 errata-xmlrpc 2022-05-03 16:43:57 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
Comment 6 Product Security DevOps Team 2022-05-03 20:46:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1365
Comment 9 errata-xmlrpc 2022-08-02 07:44:41 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:5840 https://access.redhat.com/errata/RHSA-2022:5840
Comment 10 errata-xmlrpc 2022-10-05 10:46:12 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813