Bug 2256413 (CVE-2023-26159) - CVE-2023-26159 follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()
Summary: CVE-2023-26159 follow-redirects: Improper Input Validation due to the imprope...
Keywords:
Status: NEW
Alias: CVE-2023-26159
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2256415 2256416 2256417 2256418 2256419 2256420 2256421 2256422 2257405 2271406
Blocks: 2256412
TreeView+ depends on / blocked
 
Reported: 2024-01-02 07:00 UTC by Rohit Keshri
Modified: 2025-05-15 08:28 UTC (History)
195 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:50:04 UTC
Red Hat Product Errata RHSA-2024:0271 0 None None None 2024-01-17 11:32:05 UTC
Red Hat Product Errata RHSA-2024:0720 0 None None None 2024-02-07 15:00:27 UTC
Red Hat Product Errata RHSA-2024:0853 0 None None None 2024-02-21 13:32:35 UTC
Red Hat Product Errata RHSA-2024:0998 0 None None None 2024-02-27 02:25:08 UTC
Red Hat Product Errata RHSA-2024:1027 0 None None None 2024-02-28 18:14:50 UTC
Red Hat Product Errata RHSA-2024:3314 0 None None None 2024-05-23 06:29:52 UTC
Red Hat Product Errata RHSA-2024:3316 0 None None None 2024-05-23 06:40:06 UTC
Red Hat Product Errata RHSA-2024:3989 0 None None None 2024-06-20 00:36:03 UTC

Description Rohit Keshri 2024-01-02 07:00:33 UTC 
ollow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

https://github.com/follow-redirects/follow-redirects/issues/235
https://github.com/follow-redirects/follow-redirects/pull/236
https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137
Comment 1 Rohit Keshri 2024-01-02 07:28:57 UTC 
Created cachelib tracking bugs for this issue:

Affects: fedora-all [bug 2256416]


Created fbthrift tracking bugs for this issue:

Affects: fedora-all [bug 2256417]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2256415]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-all [bug 2256418]


Created rstudio tracking bugs for this issue:

Affects: fedora-all [bug 2256419]
Comment 3 Sandipan Roy 2024-01-03 09:53:59 UTC 
follow-redirects is a transitive dependency of Grafana, and its not affected by this CVE.
Comment 7 errata-xmlrpc 2024-01-17 11:32:00 UTC 
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2024:0271 https://access.redhat.com/errata/RHSA-2024:0271
Comment 11 errata-xmlrpc 2024-02-07 15:00:23 UTC 
This issue has been addressed in the following products:

  MTR 1.2.4

Via RHSA-2024:0720 https://access.redhat.com/errata/RHSA-2024:0720
Comment 12 errata-xmlrpc 2024-02-21 13:32:30 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.5.0-RHEL-9

Via RHSA-2024:0853 https://access.redhat.com/errata/RHSA-2024:0853
Comment 13 errata-xmlrpc 2024-02-27 02:25:04 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.1

Via RHSA-2024:0998 https://access.redhat.com/errata/RHSA-2024:0998
Comment 14 errata-xmlrpc 2024-02-27 20:49:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 15 errata-xmlrpc 2024-02-28 18:14:45 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027
Comment 24 errata-xmlrpc 2024-05-23 06:29:43 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.15

Via RHSA-2024:3314 https://access.redhat.com/errata/RHSA-2024:3314
Comment 25 errata-xmlrpc 2024-05-23 06:39:59 UTC 
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316
Comment 28 errata-xmlrpc 2024-06-20 00:35:53 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989
Comment 30 Borja Tarraso 2024-11-08 16:05:44 UTC 
This issue has been solved in MCE 2.4.5 via this public advisory https://access.redhat.com/errata/RHBA-2024:3555
Note You need to log in before you can comment on or make changes to this bug.