Bug 2322502 (CVE-2024-10491)

Summary: CVE-2024-10491 express: Preload arbitrary resources by injecting additional `Link` headers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, akostadi, alcohan, amasferr, amctagga, anjoseph, ansmith, bdettelb, brking, cbartlet, cdaley, chazlett, danken, dmayorov, doconnor, dymurray, eglynn, ehelms, erack, fdeutsch, ggainey, gkamathe, gotiwari, gparvin, gtanzill, haoli, hkataria, ibolton, incrediboxcolorboxmustard.org, jcammara, jcantril, jchui, jforrest, jhe, jhorak, jjoyce, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jprabhak, jross, jschluet, juwatts, jwendell, kegrant, koliveir, kshier, ktsao, lhh, lphiri, lsvaty, mabashia, mburns, mgarciac, mhulan, mkudlej, mmakovy, mvyas, mwringe, nboldt, njean, nmoumoul, oramraz, owatkins, pahickey, pbraun, pcreech, pgaikwad, pgrist, phoracek, psrna, rcernich, rchan, rhaigner, rhos-maint, rjohnson, sdawley, shvarugh, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, teagle, tfister, thason, thavo, tjochec, tpopela, twalsh, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Express Node.js framework. In certain versions, an attacker may be able to trigger an arbitrary resource injection attack via the link header when unsanitized data is used.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-10-29 17:01:02 UTC 
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.

The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.

This vulnerability is especially relevant for dynamic parameters.
Comment 1 Matt Rife 2024-10-30 02:30:18 UTC 
What are the potential security risks and consequences of exploiting this vulnerability? Could an attacker potentially execute arbitrary code or gain unauthorized access to sensitive information? https://incrediboxcolorboxmustard.org