Bug 2290901 (CVE-2024-29041)
| Summary: | CVE-2024-29041 express: cause malformed URLs to be evaluated | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abarbaro, abrianik, adamevin, adudiak, adupliak, akostadi, alcohan, amasferr, amctagga, anjoseph, ansmith, anthomas, aprice, asoldano, bbaranow, bbuckingham, bdettelb, bmaxwell, brasmith, brian.stansberry, brking, caswilli, cbartlet, cdewolf, chazlett, cmah, cmiranda, cochase, crizzo, danken, darran.lofthouse, dfreiber, dhanak, dholler, dkenigsb, dkreling, dkuc, dmayorov, dnakabaa, doconnor, dosoudil, dranck, drosa, drow, dsimansk, dymurray, eaguilar, ebaron, eglynn, ehelms, epacific, eric.wittmann, fdeutsch, fjansen, fjuma, ggainey, ggrzybek, gkamathe, gmalinko, gotiwari, gparvin, gtanzill, haoli, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jburrell, jcammara, jcantril, jchui, jdobes, jgrulich, jhardy, jhe, jjoyce, jkang, jkoehler, jlledo, jmartisk, jmatthew, jmitchel, jmontleo, jneedle, jobarker, joehler, jolong, jpallich, jprabhak, jrokos, jsamir, jschluet, jshaughn, jsherril, jtanner, juwatts, jvasik, jwendell, jwong, kaycoth, kegrant, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lcouzens, lgao, lhh, lphiri, lsvaty, mabashia, manissin, matzew, mburns, mgarciac, mhulan, mmakovy, mnovotny, mosmerov, mpierce, mskarbek, msochure, mstefank, msvehla, mwringe, nbecker, nboldt, nipatil, njean, nmoumoul, nwallace, oezr, omaciel, orabin, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pbizzarr, pbraun, pcongius, pcreech, pdelbell, pesilva, pgaikwad, pgrist, phoracek, pierdipi, pjindal, pmackay, psrna, rblanco, rbobbitt, rcernich, rchan, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rkubis, rogbas, rojacob, rstancel, rstepani, rtaniwa, saroy, sausingh, sbiarozk, sdawley, sfroberg, shvarugh, simaishi, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, stcannon, sthirugn, stirabos, tasato, teagle, tfister, thason, thavo, tjochec, tkral, tmalecek, tom.jenkinson, twalsh, vkrizan, vkumar, vmugicag, wtam, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the Express.js minimalist web framework for node. Upstream versions of Express.js before 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL, Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This issue can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()`, but this is also called from within `res.redirect()`. The vulnerability is fixed in upstream version 4.19.2 and 5.0.0-beta.3.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2290907, 2290908, 2308719, 2308720, 2308721, 2308722, 2308723, 2308724, 2308727, 2308729, 2308731, 2308732, 2308733, 2308734, 2308735, 2308736, 2308737, 2308738, 2308739, 2308740, 2308741, 2308742, 2308743, 2290905, 2290906, 2290909, 2290910, 2290911, 2290912, 2290913, 2290914, 2290915, 2290916, 2290917, 2290918, 2290919, 2290920, 2290921, 2290922, 2290923, 2290924, 2290925, 2290926, 2290949, 2290952, 2308725, 2308726, 2308728, 2308730 | ||
| Bug Blocks: | 2290904 | ||
|
Description
Rohit Keshri
2024-06-07 17:09:03 UTC
Created cachelib tracking bugs for this issue: Affects: fedora-all [bug 2290905] Created chromium tracking bugs for this issue: Affects: epel-all [bug 2290906] Affects: fedora-all [bug 2290911] Created cldr-emoji-annotation tracking bugs for this issue: Affects: fedora-all [bug 2290912] Created fbthrift tracking bugs for this issue: Affects: fedora-all [bug 2290913] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2290907] Created golang-github-task tracking bugs for this issue: Affects: fedora-all [bug 2290914] Created h3 tracking bugs for this issue: Affects: fedora-all [bug 2290915] Created magicmirror tracking bugs for this issue: Affects: fedora-all [bug 2290916] Created obs-cef tracking bugs for this issue: Affects: fedora-all [bug 2290917] Created pcs tracking bugs for this issue: Affects: fedora-all [bug 2290918] Created python-socketio tracking bugs for this issue: Affects: fedora-all [bug 2290919] Created qpid-dispatch tracking bugs for this issue: Affects: epel-all [bug 2290908] Affects: fedora-all [bug 2290920] Created qt5-qtwebengine tracking bugs for this issue: Affects: fedora-all [bug 2290921] Created qt6-qtwebengine tracking bugs for this issue: Affects: fedora-all [bug 2290922] Created rstudio tracking bugs for this issue: Affects: fedora-all [bug 2290923] Created seamonkey tracking bugs for this issue: Affects: epel-all [bug 2290909] Affects: fedora-all [bug 2290924] Created trivy tracking bugs for this issue: Affects: fedora-all [bug 2290925] Created yarnpkg tracking bugs for this issue: Affects: epel-all [bug 2290910] Affects: fedora-all [bug 2290926] This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.6.0-RHEL-9 Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868 This issue has been addressed in the following products: Red Hat build of Apicurio Registry 2.6.1 GA Via RHSA-2024:4873 https://access.redhat.com/errata/RHSA-2024:4873 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.8 Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164 This issue has been addressed in the following products: RHODF-4.14-RHEL-9 Via RHSA-2024:7624 https://access.redhat.com/errata/RHSA-2024:7624 This issue has been addressed in the following products: RHODF-4.18-RHEL-9 Via RHSA-2025:4511 https://access.redhat.com/errata/RHSA-2025:4511 This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2025:8479 https://access.redhat.com/errata/RHSA-2025:8479 This issue has been addressed in the following products: RHODF-4.15-RHEL-9 Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544 This issue has been addressed in the following products: RHODF-4.14-RHEL-9 Via RHSA-2025:8551 https://access.redhat.com/errata/RHSA-2025:8551 |