Bug 2053259 (CVE-2022-0536) - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
Summary: CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authori...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0536
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2062720 2054828 2054829 2054831 2054832 2054833 2054834 2054835 2056112 2056113 2056114 2062721 2062722 2062723 2062724 2062725 2062726 2062727 2062728 2062729 2062730 2062731 2062732 2062733 2062991 2062992 2063271 2063272 2063273 2063274 2065517 2065520 2073221 2074229 2074231 2076703 2113055 2159179
Blocks: 2053261
TreeView+ depends on / blocked
 
Reported: 2022-02-10 19:25 UTC by Todd Cullum
Modified: 2024-03-19 13:15 UTC (History)
131 users (show)

Fixed In Version: follow-redirects 1.14.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack.
Clone Of:
Environment:
Last Closed: 2022-05-05 23:45:31 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1083 0 None None None 2022-03-28 19:36:43 UTC
Red Hat Product Errata RHSA-2022:1476 0 None None None 2022-04-20 23:46:33 UTC
Red Hat Product Errata RHSA-2022:1681 0 None None None 2022-05-03 16:43:31 UTC
Red Hat Product Errata RHSA-2022:1715 0 None None None 2022-05-05 02:39:00 UTC
Red Hat Product Errata RHSA-2022:1739 0 None None None 2022-05-05 18:02:50 UTC
Red Hat Product Errata RHSA-2022:5392 0 None None None 2022-06-28 17:06:04 UTC
Red Hat Product Errata RHSA-2022:5483 0 None None None 2022-07-01 09:53:01 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:46:49 UTC
Red Hat Product Errata RHSA-2022:6835 0 None None None 2022-10-06 12:27:14 UTC
Red Hat Product Errata RHSA-2022:7055 0 None None None 2022-10-19 12:57:10 UTC

Description Todd Cullum 2022-02-10 19:25:27 UTC
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8 via Authorization Header leak.

References:

https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db
https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445

Comment 7 Avinash Hanwate 2022-03-10 12:29:31 UTC
Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2062721]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2062722]


Created golang-github-cockroachdb-cockroach tracking bugs for this issue:

Affects: fedora-all [bug 2062723]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2062724]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2062725]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2062720]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2062726]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2062727]


Created openvas-gsa tracking bugs for this issue:

Affects: fedora-all [bug 2062728]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2062729]

Comment 19 errata-xmlrpc 2022-03-28 19:36:36 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1083 https://access.redhat.com/errata/RHSA-2022:1083

Comment 20 juneau 2022-04-11 19:36:51 UTC
services-assisted-installer/facet:077f828/follow-redirects-1.14.7 https://github.com/openshift-assisted/assisted-ui/blob/master/yarn.lock

services-compliance/compliance/compliance-frontend:5aa9b1f/follow-redirects-1.14.7 https://github.com/RedHatInsights/compliance-frontend/blob/master/package-lock.json

services-openshift-cluster-manager/ocm/uhc-portal:2e62632/follow-redirects-1.13.3 https://gitlab.cee.redhat.com/service/uhc-portal/blob/master/yarn.lock
services-openshift-cluster-manager/ocm/uhc-portal:2e62632/follow-redirects-1.14.6 https://gitlab.cee.redhat.com/service/uhc-portal/blob/master/yarn.lock
services-openshift-cluster-manager/ocm/uhc-portal:2e62632/follow-redirects-1.5.10 https://gitlab.cee.redhat.com/service/uhc-portal/blob/master/yarn.lock

Comment 25 errata-xmlrpc 2022-04-20 23:46:27 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476

Comment 27 errata-xmlrpc 2022-05-03 16:43:25 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681

Comment 28 errata-xmlrpc 2022-05-05 02:38:53 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1715 https://access.redhat.com/errata/RHSA-2022:1715

Comment 29 errata-xmlrpc 2022-05-05 18:02:44 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739

Comment 30 Product Security DevOps Team 2022-05-05 23:45:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0536

Comment 31 errata-xmlrpc 2022-06-28 17:05:59 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7

Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392

Comment 32 errata-xmlrpc 2022-07-01 09:52:55 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:5483 https://access.redhat.com/errata/RHSA-2022:5483

Comment 35 errata-xmlrpc 2022-08-24 13:46:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156

Comment 36 errata-xmlrpc 2022-10-06 12:27:09 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835

Comment 37 errata-xmlrpc 2022-10-19 12:57:04 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.6

Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055


Note You need to log in before you can comment on or make changes to this bug.