Bug 2044591 (CVE-2022-0235) - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
Summary: CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorize...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2061806 2061807 2044738 2048420 2048421 2048422 2048423 2048424 2048425 2048426 2048427 2048428 2049032 2050897 2058422 2061808 2061809 2061810 2061811 2061812 2061813 2061814 2061815 2061816 2061817 2061818 2061819 2061820 2061821 2061822 2061823 2061824 2061825 2061826 2061827 2061828 2061829 2061830 2061831 2061893 2061894 2061895 2061896 2061897 2061898 2061899 2061900 2061901 2061902 2061903 2061905 2061906 2061907 2061908 2061909 2061910 2061911 2061912 2061913 2061914 2061915 2062383 2063002 2063003 2063004 2063005 2063006 2063007 2063008 2063009 2063010 2065486 2065492 2068426 2068427 2076835 2076837 2079047 2109693 2120336 2132713 2132714
Blocks: 2044593
TreeView+ depends on / blocked
 
Reported: 2022-01-24 19:35 UTC by Pedro Sampaio
Modified: 2024-03-14 17:27 UTC (History)
206 users (show)

Fixed In Version: node-fetch 2.6.7, node-fetch 3.1.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized actor.
Clone Of:
Environment:
Last Closed: 2022-09-02 18:55:44 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0735 0 None None None 2022-03-03 06:58:28 UTC
Red Hat Product Errata RHSA-2022:1083 0 None None None 2022-03-28 19:36:39 UTC
Red Hat Product Errata RHSA-2022:1476 0 None None None 2022-04-20 23:46:25 UTC
Red Hat Product Errata RHSA-2022:1681 0 None None None 2022-05-03 16:43:21 UTC
Red Hat Product Errata RHSA-2022:1715 0 None None None 2022-05-05 02:39:00 UTC
Red Hat Product Errata RHSA-2022:1739 0 None None None 2022-05-05 18:02:55 UTC
Red Hat Product Errata RHSA-2022:4956 0 None None None 2022-06-09 02:06:29 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:34:09 UTC
Red Hat Product Errata RHSA-2022:5392 0 None None None 2022-06-28 17:06:09 UTC
Red Hat Product Errata RHSA-2022:5483 0 None None None 2022-07-01 09:52:49 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:46:17 UTC
Red Hat Product Errata RHSA-2022:6813 0 None None None 2022-10-05 10:45:17 UTC
Red Hat Product Errata RHSA-2022:6835 0 None None None 2022-10-06 12:27:02 UTC
Red Hat Product Errata RHSA-2022:8524 0 None None None 2022-11-17 13:40:20 UTC
Red Hat Product Errata RHSA-2023:0050 0 None None None 2023-01-09 14:50:47 UTC
Red Hat Product Errata RHSA-2023:0612 0 None None None 2023-02-06 19:39:36 UTC
Red Hat Product Errata RHSA-2023:1742 0 None None None 2023-04-12 14:58:24 UTC

Description Pedro Sampaio 2022-01-24 19:35:51 UTC 
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7
https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10
Comment 2 Cedric Buissart 2022-01-27 16:15:10 UTC 
Upstream PR:
https://github.com/node-fetch/node-fetch/pull/1449

Upstream fix:
https://github.com/node-fetch/node-fetch/commit/f5d3cf5e2579cb8f4c76c291871e69696aef8f80
Comment 6 errata-xmlrpc 2022-03-03 06:58:25 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735
Comment 8 Mauro Matteo Cascella 2022-03-08 15:29:19 UTC 
Created cockpit-composer tracking bugs for this issue:

Affects: fedora-all [bug 2061809]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2061810]


Created dotnet3.1 tracking bugs for this issue:

Affects: fedora-all [bug 2061811]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-all [bug 2061812]


Created golang-github-brocaar-chirpstack-api tracking bugs for this issue:

Affects: fedora-all [bug 2061813]


Created golang-github-cockroachdb-cockroach tracking bugs for this issue:

Affects: fedora-all [bug 2061814]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2061815]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2061816]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2061806]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2061817]


Created grpc tracking bugs for this issue:

Affects: fedora-all [bug 2061818]


Created icecat tracking bugs for this issue:

Affects: fedora-all [bug 2061819]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2061820]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2061821]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2061822]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2061823]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2061807]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2061824]


Created openvas-gsa tracking bugs for this issue:

Affects: fedora-all [bug 2061825]


Created pack tracking bugs for this issue:

Affects: fedora-all [bug 2061826]


Created python-drf-yasg tracking bugs for this issue:

Affects: epel-all [bug 2061808]
Affects: fedora-all [bug 2061827]


Created rust tracking bugs for this issue:

Affects: fedora-all [bug 2061828]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 2061829]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2061830]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2061831]
Comment 17 errata-xmlrpc 2022-03-28 19:36:30 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1083 https://access.redhat.com/errata/RHSA-2022:1083
Comment 20 errata-xmlrpc 2022-04-20 23:46:15 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476
Comment 21 Jan Werner 2022-04-26 19:05:11 UTC 
*** Bug 2048424 has been marked as a duplicate of this bug. ***
Comment 22 Jan Werner 2022-04-26 19:06:18 UTC 
*** Bug 2079047 has been marked as a duplicate of this bug. ***
Comment 23 errata-xmlrpc 2022-05-03 16:43:14 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
Comment 24 errata-xmlrpc 2022-05-05 02:38:53 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1715 https://access.redhat.com/errata/RHSA-2022:1715
Comment 25 errata-xmlrpc 2022-05-05 18:02:45 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739
Comment 31 errata-xmlrpc 2022-06-09 02:06:21 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
Comment 32 errata-xmlrpc 2022-06-28 17:05:58 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7

Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392
Comment 37 errata-xmlrpc 2022-07-01 09:52:43 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:5483 https://access.redhat.com/errata/RHSA-2022:5483
Comment 45 errata-xmlrpc 2022-08-10 10:34:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069
Comment 51 errata-xmlrpc 2022-08-24 13:46:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 52 Product Security DevOps Team 2022-09-02 18:55:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0235
Comment 53 errata-xmlrpc 2022-10-05 10:45:08 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
Comment 54 errata-xmlrpc 2022-10-06 12:26:53 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835
Comment 57 errata-xmlrpc 2022-11-17 13:40:12 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.0

Via RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524
Comment 58 errata-xmlrpc 2023-01-09 14:50:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050
Comment 59 errata-xmlrpc 2023-02-06 19:39:28 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612
Comment 60 errata-xmlrpc 2023-04-12 14:58:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Note You need to log in before you can comment on or make changes to this bug.