undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
This issue has been addressed in the following products:
Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8
Via RHSA-2022:6696 https://access.redhat.com/errata/RHSA-2022:6696
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):