Bug 2085307 (CVE-2022-1650)

Summary: CVE-2022-1650 eventsource: Exposure of Sensitive Information
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agerstmayr, aileenc, akostadi, alazarot, alcohan, amackenz, amasferr, amctagga, andrew.slice, anjoseph, anstephe, aoconnor, aveerama, bniver, bodavis, cbartlet, cfeist, chazlett, cheese, cluster-maint, cmiranda, crummel, dbhole, dhanak, dmayorov, domme, dotnet-packagers, drieden, dwhatley, dymurray, ecerquei, eclipseo, emingora, eric.wittmann, etirelli, extras-orphan, fboucher, flucifre, francisco.vergarat, ggaughan, gmalinko, gmeno, go-sig, gparvin, grafana-maint, harold, hbraun, huzaifas, ibek, ibolton, idevat, janstey, jlledo, jmatthew, jmontleo, jochrist, jprabhak, jramanat, jrokos, jross, jschatte, jshaughn, jstastny, jwendell, jwon, kanderso, kmalyjur, krathod, kverlaen, lchilton, lemenkov, link, lvaleeva, mail, mbenjamin, mhackett, mkudlej, mlisik, mmakovy, mnovotny, mpospisi, mwringe, nathans, nipatil, njean, omajid, omular, openstack-sig, oskutka, ovanders, owatkins, pabelanger, pahickey, pantinor, pcongius, pdelbell, pgaikwad, pjindal, ploffay, porcelli, rareddy, rcernich, rdey, rebus, rgodfrey, rguimara, rhaigner, rjohnson, rkubis, rrajasek, rstepani, rwagner, scorneli, sfeifer, slucidi, sostapov, sseago, stcannon, stjepan.gros, tjeyasin, tjochec, tkral, tojeline, twalsh, tzimanyi, ubhargav, vereddy, wtam, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: eventsource 2.0.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the EventSource NPM Package. The description from the source states the following message: "Exposure of Sensitive Information to an Unauthorized Actor." This flaw allows an attacker to steal the user's credentials and then use the credentials to access the legitimate website.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-14 19:20:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2341885, 2341886, 2085337, 2085338, 2085339, 2085340, 2085341, 2085342, 2085343, 2087647, 2087648, 2087649, 2087650, 2087653, 2087654, 2087655, 2087656, 2089131, 2089132, 2089133, 2089139, 2089140, 2089141, 2089142, 2089143, 2103267, 2105397, 2105398, 2109280, 2109281, 2109282, 2109283, 2109284, 2110615, 2110616, 2110860, 2113026, 2113027, 2115349, 2115351, 2120740, 2341887    
Bug Blocks: 2085308    

Description Anten Skrabec 2022-05-13 00:20:12 UTC 
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e
https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4
Comment 17 errata-xmlrpc 2022-06-13 12:44:23 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:5006 https://access.redhat.com/errata/RHSA-2022:5006
Comment 18 errata-xmlrpc 2022-06-14 14:46:38 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse Online 7.10.2.P1

Via RHSA-2022:5030 https://access.redhat.com/errata/RHSA-2022:5030
Comment 19 Product Security DevOps Team 2022-06-14 19:20:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1650
Comment 29 errata-xmlrpc 2022-08-24 13:48:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 30 errata-xmlrpc 2022-09-13 00:58:36 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:6429 https://access.redhat.com/errata/RHSA-2022:6429
Comment 31 errata-xmlrpc 2022-10-05 10:46:21 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
Comment 32 errata-xmlrpc 2022-10-19 12:56:18 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.6

Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055
Comment 33 errata-xmlrpc 2023-06-15 16:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642