Bug 2102001 (CVE-2022-33987)

Summary: CVE-2022-33987 nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, abuckta, agerstmayr, aileenc, alcohan, andrew.slice, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, bmontgom, bodavis, boliveir, brian.stansberry, caillon+fedoraproject, caswilli, cdewolf, chazlett, crizzo, darran.lofthouse, dbhole, dfreiber, dkreling, dkuc, dmitry, doconnor, dosoudil, drow, eclipseo, eparis, epel-packagers-sig, extras-orphan, fjansen, fjuma, fmuellner, fzatlouk, gecko-bugs-nobody, gmalinko, go-sig, gotiwari, gparvin, grafana-maint, hhorak, hkataria, istudens, ivassile, iweiss, janstey, jary, jbalunas, jburrell, jgrulich, jhadvig, jhorak, jkoehler, jochrist, jorton, jpavlik, jramanat, jshaughn, jwendell, jwong, jwon, kai-engert-fedora, kanderso, kaycoth, klember, kshier, lchilton, ldap-maint, lgao, lmohanty, lphiri, lvaleeva, madam, mgoodwin, michal.skrivanek, michel, mosmerov, mperina, mpitt, mposolda, mrunge, msochure, msvehla, mvyas, nathans, nboldt, ngompa13, njean, nodejs-maint, nodejs-sig, nstielau, nwallace, omajid, openstack-sig, orabin, oskutka, ovanders, owatkins, pabelanger, pahickey, pdelbell, pdrozd, pesilva, pjindal, pmackay, pskopek, pvalena, rcernich, rhaigner, rmartinc, rogbas, rstancel, rstepani, rsvoboda, ruby-packagers-sig, rwagner, sbonazzo, scorneli, sdawley, sfeifer, sgallagh, sgratch, smaestri, sponnaga, ssilvert, stcannon, sthorger, stransky, strzibny, teagle, thrcka, tom.jenkinson, tpopela, twalsh, vkumar, vmuzikar, vondruch, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: got 11.8.5, got 12.1.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the `got` package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-30 06:57:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2102908, 2102193, 2102897, 2102898, 2102899, 2102900, 2102901, 2102909, 2102910, 2102911, 2102912, 2102913, 2102914, 2102915, 2102916, 2102917, 2102918, 2102919, 2102920, 2102921, 2102922, 2102923, 2102924, 2108132, 2108133, 2108134, 2108135, 2108136, 2108137, 2108138, 2108139, 2108140, 2108141, 2108142, 2108143, 2108144, 2108145, 2108146, 2108147, 2108149, 2108150, 2109919, 2109920, 2109921, 2109928, 2111127, 2124229, 2160572    
Bug Blocks: 2099261    

Description TEJ RATHI 2022-06-29 04:50:24 UTC 
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

https://github.com/sindresorhus/got/pull/2047
https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0
https://github.com/sindresorhus/got/releases/tag/v11.8.5
Comment 4 Anten Skrabec 2022-07-01 00:20:17 UTC 
Created dotnet6.0 tracking bugs for this issue:

Affects: fedora-all [bug 2102911]


Created golang-ariga-atlas tracking bugs for this issue:

Affects: fedora-all [bug 2102912]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2102913]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2102914]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2102915]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2102916]


Created nodejs-nodemon tracking bugs for this issue:

Affects: fedora-all [bug 2102917]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2102918]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2102908]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2102919]


Created npm-name-cli tracking bugs for this issue:

Affects: fedora-all [bug 2102920]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2102909]
Affects: fedora-all [bug 2102921]


Created syncthing tracking bugs for this issue:

Affects: epel-all [bug 2102910]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2102922]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2102923]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2102924]
Comment 9 errata-xmlrpc 2022-09-08 07:42:32 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389
Comment 10 errata-xmlrpc 2022-09-13 09:44:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448
Comment 11 errata-xmlrpc 2022-09-13 09:44:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449
Comment 12 errata-xmlrpc 2022-09-20 12:24:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595
Comment 14 errata-xmlrpc 2022-10-18 08:17:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985
Comment 16 Product Security DevOps Team 2022-11-30 06:57:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-33987