Bug 2102001 (CVE-2022-33987) - CVE-2022-33987 nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets
Summary: CVE-2022-33987 nodejs-got: missing verification of requested URLs allows redi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-33987
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2102193 2102908 2102897 2102898 2102899 2102900 2102901 2102909 2102910 2102911 2102912 2102913 2102914 2102915 2102916 2102917 2102918 2102919 2102920 2102921 2102922 2102923 2102924 2108132 2108133 2108134 2108135 2108136 2108137 2108138 2108139 2108140 2108141 2108142 2108143 2108144 2108145 2108146 2108147 2108149 2108150 2109919 2109920 2109921 2109928 2111127 2124229 2160572
Blocks: 2099261
TreeView+ depends on / blocked
 
Reported: 2022-06-29 04:50 UTC by TEJ RATHI
Modified: 2024-03-19 02:18 UTC (History)
111 users (show)

Fixed In Version: got 11.8.5, got 12.1.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the `got` package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket.
Clone Of:
Environment:
Last Closed: 2022-11-30 06:57:45 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6389 0 None None None 2022-09-08 07:42:39 UTC
Red Hat Product Errata RHSA-2022:6448 0 None None None 2022-09-13 09:44:11 UTC
Red Hat Product Errata RHSA-2022:6449 0 None None None 2022-09-13 09:44:38 UTC
Red Hat Product Errata RHSA-2022:6595 0 None None None 2022-09-20 12:24:17 UTC
Red Hat Product Errata RHSA-2022:6985 0 None None None 2022-10-18 08:17:35 UTC

Description TEJ RATHI 2022-06-29 04:50:24 UTC
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

https://github.com/sindresorhus/got/pull/2047
https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0
https://github.com/sindresorhus/got/releases/tag/v11.8.5

Comment 4 Anten Skrabec 2022-07-01 00:20:17 UTC
Created dotnet6.0 tracking bugs for this issue:

Affects: fedora-all [bug 2102911]


Created golang-ariga-atlas tracking bugs for this issue:

Affects: fedora-all [bug 2102912]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2102913]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2102914]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2102915]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2102916]


Created nodejs-nodemon tracking bugs for this issue:

Affects: fedora-all [bug 2102917]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2102918]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2102908]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2102919]


Created npm-name-cli tracking bugs for this issue:

Affects: fedora-all [bug 2102920]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2102909]
Affects: fedora-all [bug 2102921]


Created syncthing tracking bugs for this issue:

Affects: epel-all [bug 2102910]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2102922]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2102923]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2102924]

Comment 9 errata-xmlrpc 2022-09-08 07:42:32 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389

Comment 10 errata-xmlrpc 2022-09-13 09:44:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448

Comment 11 errata-xmlrpc 2022-09-13 09:44:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449

Comment 12 errata-xmlrpc 2022-09-20 12:24:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595

Comment 14 errata-xmlrpc 2022-10-18 08:17:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985

Comment 16 Product Security DevOps Team 2022-11-30 06:57:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-33987


Note You need to log in before you can comment on or make changes to this bug.