Bug 2269576 (CVE-2024-28849)
| Summary: | CVE-2024-28849 follow-redirects: Possible credential leak | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aarif, aazores, adamevin, adudiak, adupliak, aileenc, amasferr, amctagga, aprice, asoldano, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, brian.stansberry, btarraso, caswilli, cdewolf, chazlett, cmiranda, darran.lofthouse, dfreiber, dhanak, dkenigsb, dkreling, dkuc, dosoudil, drow, dsimansk, dymurray, eaguilar, ebaron, ecerquei, ehelms, epacific, eric.wittmann, fdeutsch, fjansen, fjuma, gmalinko, gparvin, hkataria, ibek, ibolton, ivassile, iweiss, janstey, jburrell, jcammara, jcantril, jhardy, jkang, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jobarker, jpallich, jrokos, jsamir, jshaughn, jsherril, jtanner, jwendell, kaycoth, kingland, kshier, kverlaen, lbainbri, lgao, lzap, mabashia, matzew, mhulan, mkudlej, mnovotny, mosmerov, mpierce, msochure, mstefank, msvehla, mwringe, njean, nmoumoul, nwallace, oezr, omaciel, orabin, oramraz, owatkins, pahickey, pantinor, parichar, pcongius, pcreech, pdelbell, pierdipi, pjindal, pmackay, psegedy, rcernich, rchan, rguimara, rhaigner, rhuss, rjohnson, rstancel, saroy, sdawley, sfroberg, shbose, sidakwo, simaishi, sipoyare, slucidi, smaestri, smcdonal, smullick, sseago, stcannon, sthirugn, tasato, teagle, tjochec, tom.jenkinson, twalsh, vkrizan, vkumar, vmugicag, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | follow-redirects 1.15.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, `follow-redirects` clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a high impact on data confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2269577, 2269578, 2269579, 2269580, 2269583, 2269584, 2269585, 2269587, 2270188 | ||
| Bug Blocks: | 2269586 | ||
|
Description
Marco Benatto
2024-03-14 18:20:55 UTC
Created cachelib tracking bugs for this issue: Affects: fedora-all [bug 2269577] Created fbthrift tracking bugs for this issue: Affects: fedora-all [bug 2269578] Created pgadmin4 tracking bugs for this issue: Affects: fedora-all [bug 2269580] Created rstudio tracking bugs for this issue: Affects: fedora-all [bug 2269579] Public commit for this issue: https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2269587] This issue has been addressed in the following products: RHOL-5.8-RHEL-9 Via RHSA-2024:1474 https://access.redhat.com/errata/RHSA-2024:1474 This issue has been addressed in the following products: MTA-7.0-RHEL-9 MTA-7.0-RHEL-8 Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316 This issue has been addressed in the following products: HawtIO 4.0.0 for Red Hat build of Apache Camel 4 Via RHSA-2024:3550 https://access.redhat.com/errata/RHSA-2024:3550 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781 This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.6.0-RHEL-9 Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.5 Via RHSA-2024:4836 https://access.redhat.com/errata/RHSA-2024:4836 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.8 Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164 This issue has been solved in ACM 2.10.2 via this public advisory https://access.redhat.com/errata/RHBA-2024:2034 This issue has been solved in MCE 2.5.3 via this public advisory https://access.redhat.com/errata/RHBA-2024:2862 |