Bug 2290901 (CVE-2024-29041)
| Summary: | CVE-2024-29041 express: cause malformed URLs to be evaluated | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, adamevin, adudiak, adupliak, akostadi, amasferr, amctagga, anjoseph, ansmith, aprice, asoldano, bbaranow, bbuckingham, bdettelb, bmaxwell, brian.stansberry, brking, caswilli, cbartlet, cdaley, cdewolf, chazlett, cmiranda, danken, darran.lofthouse, dfreiber, dhanak, dholler, dkenigsb, dkreling, dkuc, dmayorov, doconnor, dosoudil, drow, dsimansk, dymurray, eaguilar, ebaron, ecerquei, eglynn, ehelms, epacific, eric.wittmann, fdeutsch, fjansen, fjuma, ggainey, gkamathe, gmalinko, gotiwari, gparvin, gtanzill, haoli, hkataria, ibek, ibolton, istudens, ivassile, iweiss, janstey, jburrell, jcammara, jcantril, jchui, jhardy, jjoyce, jkang, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jobarker, jpallich, jprabhak, jrokos, jross, jsamir, jschluet, jshaughn, jsherril, jtanner, juwatts, jwendell, jwong, kaycoth, kholdawa, kingland, kshier, ktsao, kverlaen, lbainbri, lgao, lhh, lsvaty, mabashia, matzew, mburns, mgarciac, mhulan, mkudlej, mmakovy, mnovotny, mosmerov, mpierce, msochure, mstefank, msvehla, mwringe, nbecker, nboldt, nipatil, njean, nmoumoul, nwallace, oezr, omaciel, orabin, oramraz, owatkins, pahickey, pantinor, parichar, pbraun, pcongius, pcreech, pdelbell, pgaikwad, pgrist, phoracek, pierdipi, pjindal, pmackay, psegedy, rbobbitt, rcernich, rchan, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rkubis, rogbas, rstancel, rstepani, rtaniwa, saroy, sdawley, sfroberg, simaishi, slucidi, smaestri, smcdonal, smullick, sseago, stcannon, sthirugn, stirabos, tasato, teagle, tfister, thavo, tjochec, tkral, tom.jenkinson, twalsh, vkrizan, vkumar, vmugicag, wtam, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the Express.js minimalist web framework for node. Versions of Express.js before 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL, Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This issue can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()`, but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2290907, 2290908, 2290952, 2308719, 2308720, 2308721, 2308722, 2308723, 2308724, 2308727, 2308729, 2308731, 2308732, 2308733, 2308734, 2308735, 2308736, 2308737, 2308738, 2308739, 2308740, 2308741, 2308742, 2308743, 2290905, 2290906, 2290909, 2290910, 2290911, 2290912, 2290913, 2290914, 2290915, 2290916, 2290917, 2290918, 2290919, 2290920, 2290921, 2290922, 2290923, 2290924, 2290925, 2290926, 2290949, 2308725, 2308726, 2308728, 2308730 | ||
| Bug Blocks: | 2290904 | ||
|
Description
Rohit Keshri
2024-06-07 17:09:03 UTC
Created cachelib tracking bugs for this issue: Affects: fedora-all [bug 2290905] Created chromium tracking bugs for this issue: Affects: epel-all [bug 2290906] Affects: fedora-all [bug 2290911] Created cldr-emoji-annotation tracking bugs for this issue: Affects: fedora-all [bug 2290912] Created fbthrift tracking bugs for this issue: Affects: fedora-all [bug 2290913] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2290907] Created golang-github-task tracking bugs for this issue: Affects: fedora-all [bug 2290914] Created h3 tracking bugs for this issue: Affects: fedora-all [bug 2290915] Created magicmirror tracking bugs for this issue: Affects: fedora-all [bug 2290916] Created obs-cef tracking bugs for this issue: Affects: fedora-all [bug 2290917] Created pcs tracking bugs for this issue: Affects: fedora-all [bug 2290918] Created python-socketio tracking bugs for this issue: Affects: fedora-all [bug 2290919] Created qpid-dispatch tracking bugs for this issue: Affects: epel-all [bug 2290908] Affects: fedora-all [bug 2290920] Created qt5-qtwebengine tracking bugs for this issue: Affects: fedora-all [bug 2290921] Created qt6-qtwebengine tracking bugs for this issue: Affects: fedora-all [bug 2290922] Created rstudio tracking bugs for this issue: Affects: fedora-all [bug 2290923] Created seamonkey tracking bugs for this issue: Affects: epel-all [bug 2290909] Affects: fedora-all [bug 2290924] Created trivy tracking bugs for this issue: Affects: fedora-all [bug 2290925] Created yarnpkg tracking bugs for this issue: Affects: epel-all [bug 2290910] Affects: fedora-all [bug 2290926] This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.6.0-RHEL-9 Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868 This issue has been addressed in the following products: Red Hat build of Apicurio Registry 2.6.1 GA Via RHSA-2024:4873 https://access.redhat.com/errata/RHSA-2024:4873 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.8 Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164 This issue has been addressed in the following products: RHODF-4.14-RHEL-9 Via RHSA-2024:7624 https://access.redhat.com/errata/RHSA-2024:7624 This issue has been addressed in the following products: RHODF-4.18-RHEL-9 Via RHSA-2025:4511 https://access.redhat.com/errata/RHSA-2025:4511 This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2025:8479 https://access.redhat.com/errata/RHSA-2025:8479 This issue has been addressed in the following products: RHODF-4.15-RHEL-9 Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544 This issue has been addressed in the following products: RHODF-4.14-RHEL-9 Via RHSA-2025:8551 https://access.redhat.com/errata/RHSA-2025:8551 |