2076133 – (CVE-2022-1365) CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor

Bug 2076133 (CVE-2022-1365) - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor

Summary: CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Una...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-1365
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2076223 2079141 2079142 2079143 2079144
Blocks:	2076135
TreeView+	depends on / blocked

Reported:	2022-04-18 04:00 UTC by Sandipan Roy
Modified:	2024-02-06 04:44 UTC (History)
CC List:	84 users (show)
Fixed In Version:	cross-fetch 3.1.5
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the cross-fetch library when fetching a remote URL with a cookie when it gets to the Location response header. This flaw allows an attacker to hijack the account as the cookie is leaked.
Clone Of:
Environment:
Last Closed:	2022-05-03 20:46:13 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:1681	None	None	None	2022-05-03 16:44:01 UTC
Red Hat Product Errata	RHSA-2022:5840	None	None	None	2022-08-02 07:44:45 UTC
Red Hat Product Errata	RHSA-2022:6813	None	None	None	2022-10-05 10:46:17 UTC

Description Sandipan Roy 2022-04-18 04:00:28 UTC

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.

https://github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a
https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac

Comment 5 errata-xmlrpc 2022-05-03 16:43:57 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681

Comment 6 Product Security DevOps Team 2022-05-03 20:46:07 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1365

Comment 9 errata-xmlrpc 2022-08-02 07:44:41 UTC

This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:5840 https://access.redhat.com/errata/RHSA-2022:5840

Comment 10 errata-xmlrpc 2022-10-05 10:46:12 UTC

This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
amackenz
amasferr
anstephe
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
drieden
dwhatley
dymurray
emingora
etirelli
fboucher
fjuma
ggaughan
gmalinko
go-sig
gparvin
ibek
ibolton
iweiss
janstey
jmatthew
jmontleo
jochrist
jramanat
jrokos
jstastny
jwendell
jwon
krathod
kverlaen
lgao
lmohanty
lthon
madam
mkudlej
mnovotny
mosmerov
msochure
msvehla
mszynkie
njean
nwallace
openstack-sig
oskutka
ovanders
pabelanger
pahickey
pdelbell
peholase
pgallagh
pjindal
pmackay
pvalena
rcernich
rguimara
rrajasek
rruss
rstancel
rsvoboda
ruby-packagers-sig
slucidi
smaestri
sseago
stcannon
strzibny
thrcka
tjochec
tkral
tom.jenkinson
twalsh
tzimanyi
vondruch
zebob.m