Bug 2085307 (CVE-2022-1650) - CVE-2022-1650 eventsource: Exposure of Sensitive Information
Summary: CVE-2022-1650 eventsource: Exposure of Sensitive Information
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1650
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2085337 2085338 2085339 2085340 2085341 2085342 2085343 2087647 2087648 2087649 2087650 2087653 2087654 2087655 2087656 2089131 2089132 2089133 2089139 2089140 2089141 2089142 2089143 2103267 2105397 2105398 2109280 2109281 2109282 2109283 2109284 2110615 2110616 2110860 2113026 2113027 2115349 2115351 2120740
Blocks: 2085308
TreeView+ depends on / blocked
 
Reported: 2022-05-13 00:20 UTC by Anten Skrabec
Modified: 2024-02-06 04:46 UTC (History)
104 users (show)

Fixed In Version: eventsource 2.0.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the EventSource NPM Package. The description from the source states the following message: "Exposure of Sensitive Information to an Unauthorized Actor." This flaw allows an attacker to steal the user's credentials and then use the credentials to access the legitimate website.
Clone Of:
Environment:
Last Closed: 2022-06-14 19:20:25 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5006 0 None None None 2022-06-13 12:44:29 UTC
Red Hat Product Errata RHSA-2022:5030 0 None None None 2022-06-14 14:46:43 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:48:12 UTC
Red Hat Product Errata RHSA-2022:6429 0 None None None 2022-09-13 00:58:41 UTC
Red Hat Product Errata RHSA-2022:6813 0 None None None 2022-10-05 10:46:27 UTC
Red Hat Product Errata RHSA-2022:7055 0 None None None 2022-10-19 12:56:33 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:00:09 UTC

Description Anten Skrabec 2022-05-13 00:20:12 UTC 
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e
https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4
Comment 17 errata-xmlrpc 2022-06-13 12:44:23 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:5006 https://access.redhat.com/errata/RHSA-2022:5006
Comment 18 errata-xmlrpc 2022-06-14 14:46:38 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse Online 7.10.2.P1

Via RHSA-2022:5030 https://access.redhat.com/errata/RHSA-2022:5030
Comment 19 Product Security DevOps Team 2022-06-14 19:20:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1650
Comment 29 errata-xmlrpc 2022-08-24 13:48:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 30 errata-xmlrpc 2022-09-13 00:58:36 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:6429 https://access.redhat.com/errata/RHSA-2022:6429
Comment 31 errata-xmlrpc 2022-10-05 10:46:21 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
Comment 32 errata-xmlrpc 2022-10-19 12:56:18 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.6

Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055
Comment 33 errata-xmlrpc 2023-06-15 16:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Note You need to log in before you can comment on or make changes to this bug.