Bug 2269576 (CVE-2024-28849)
Summary: | CVE-2024-28849 follow-redirects: Possible credential leak | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aarif, aazores, adamevin, adudiak, adupliak, aileenc, amasferr, amctagga, aprice, asoldano, aveerama, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, brian.stansberry, caswilli, cdewolf, chazlett, cmiranda, darran.lofthouse, davidn, dfreiber, dhalasz, dhanak, dkenigsb, dkreling, dkuc, dosoudil, drow, dsimansk, dymurray, eaguilar, ebaron, ecerquei, ehelms, epacific, eric.wittmann, fdeutsch, fjansen, fjuma, gmalinko, gparvin, hkataria, ibek, ibolton, ivassile, iweiss, janstey, jburrell, jcammara, jcantril, jhardy, jkang, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jobarker, jpallich, jrokos, jsamir, jshaughn, jsherril, jtanner, jwendell, kaycoth, kingland, kshier, kverlaen, lbainbri, lgao, lhein, lzap, mabashia, matzew, mhulan, mkudlej, mnovotny, mosmerov, mpierce, msochure, mstefank, msvehla, mwringe, njean, nmoumoul, nwallace, oezr, omaciel, orabin, oramraz, osapryki, owatkins, pahickey, pantinor, parichar, pcongius, pcreech, pdelbell, periklis, pierdipi, pjindal, pmackay, porcelli, psegedy, rcernich, rchan, rgarg, rguimara, rhaigner, rhuss, rjohnson, rstancel, saroy, sdawley, sfroberg, shbose, sidakwo, simaishi, sipoyare, skontopo, slucidi, smaestri, smcdonal, smullick, sseago, stcannon, sthirugn, tasato, teagle, tjochec, tom.jenkinson, twalsh, ubhargav, vkrizan, vkumar, vmugicag, yguenane, zsadeh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | follow-redirects 1.15.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, `follow-redirects` clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a high impact on data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2269578, 2269583, 2269585, 2269587, 2270188, 2269577, 2269579, 2269580, 2269584 | ||
Bug Blocks: | 2269586 |
Description
Marco Benatto
2024-03-14 18:20:55 UTC
Created cachelib tracking bugs for this issue: Affects: fedora-all [bug 2269577] Created fbthrift tracking bugs for this issue: Affects: fedora-all [bug 2269578] Created pgadmin4 tracking bugs for this issue: Affects: fedora-all [bug 2269580] Created rstudio tracking bugs for this issue: Affects: fedora-all [bug 2269579] Public commit for this issue: https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2269587] This issue has been addressed in the following products: RHOL-5.8-RHEL-9 Via RHSA-2024:1474 https://access.redhat.com/errata/RHSA-2024:1474 |