Bug 2269576 (CVE-2024-28849) - CVE-2024-28849 follow-redirects: Possible credential leak
Summary: CVE-2024-28849 follow-redirects: Possible credential leak
Keywords:
Status: NEW
Alias: CVE-2024-28849
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2269578 2269583 2269587 2270188 2269577 2269579 2269580 2269584 2269585
Blocks: 2269586
TreeView+ depends on / blocked
 
Reported: 2024-03-14 18:20 UTC by Marco Benatto
Modified: 2024-06-17 00:44 UTC (History)
141 users (show)

Fixed In Version: follow-redirects 1.15.6
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, `follow-redirects` clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a high impact on data confidentiality.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1474 0 None None None 2024-03-27 15:00:58 UTC
Red Hat Product Errata RHSA-2024:3316 0 None None None 2024-05-23 06:40:24 UTC
Red Hat Product Errata RHSA-2024:3550 0 None None None 2024-06-03 11:54:11 UTC
Red Hat Product Errata RHSA-2024:3781 0 None None None 2024-06-10 18:37:32 UTC
Red Hat Product Errata RHSA-2024:3868 0 None None None 2024-06-17 00:44:38 UTC

Description Marco Benatto 2024-03-14 18:20:55 UTC
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

https://fetch.spec.whatwg.org/#authentication-entries
https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
https://github.com/psf/requests/issues/1885
https://hackerone.com/reports/2390009

Comment 1 Marco Benatto 2024-03-14 18:21:27 UTC
Created cachelib tracking bugs for this issue:

Affects: fedora-all [bug 2269577]


Created fbthrift tracking bugs for this issue:

Affects: fedora-all [bug 2269578]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-all [bug 2269580]


Created rstudio tracking bugs for this issue:

Affects: fedora-all [bug 2269579]

Comment 4 Marco Benatto 2024-03-14 18:41:36 UTC
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2269587]

Comment 7 errata-xmlrpc 2024-03-27 15:00:51 UTC
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2024:1474 https://access.redhat.com/errata/RHSA-2024:1474

Comment 12 errata-xmlrpc 2024-05-23 06:40:17 UTC
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316

Comment 13 errata-xmlrpc 2024-06-03 11:54:04 UTC
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:3550 https://access.redhat.com/errata/RHSA-2024:3550

Comment 15 errata-xmlrpc 2024-06-10 18:37:24 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781

Comment 16 errata-xmlrpc 2024-06-17 00:44:30 UTC
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868


Note You need to log in before you can comment on or make changes to this bug.