Bug 2269576 (CVE-2024-28849) - CVE-2024-28849 follow-redirects: Possible credential leak
Summary: CVE-2024-28849 follow-redirects: Possible credential leak
Keywords:
Status: NEW
Alias: CVE-2024-28849
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2269577 2269578 2269579 2269580 2269583 2269584 2269585 2269587 2270188
Blocks: 2269586
TreeView+ depends on / blocked
 
Reported: 2024-03-14 18:20 UTC by Marco Benatto
Modified: 2025-05-06 08:28 UTC (History)
134 users (show)

Fixed In Version: follow-redirects 1.15.6
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0041 0 None None None 2024-06-27 11:24:36 UTC
Red Hat Product Errata RHSA-2024:1474 0 None None None 2024-03-27 15:00:58 UTC
Red Hat Product Errata RHSA-2024:3316 0 None None None 2024-05-23 06:40:24 UTC
Red Hat Product Errata RHSA-2024:3550 0 None None None 2024-06-03 11:54:11 UTC
Red Hat Product Errata RHSA-2024:3781 0 None None None 2024-06-10 18:37:32 UTC
Red Hat Product Errata RHSA-2024:3868 0 None None None 2024-06-17 00:44:38 UTC
Red Hat Product Errata RHSA-2024:3989 0 None None None 2024-06-20 00:35:30 UTC
Red Hat Product Errata RHSA-2024:4836 0 None None None 2024-07-24 16:18:51 UTC
Red Hat Product Errata RHSA-2024:7164 0 None None None 2024-09-26 03:48:28 UTC

Description Marco Benatto 2024-03-14 18:20:55 UTC 
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

https://fetch.spec.whatwg.org/#authentication-entries
https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
https://github.com/psf/requests/issues/1885
https://hackerone.com/reports/2390009
Comment 1 Marco Benatto 2024-03-14 18:21:27 UTC 
Created cachelib tracking bugs for this issue:

Affects: fedora-all [bug 2269577]


Created fbthrift tracking bugs for this issue:

Affects: fedora-all [bug 2269578]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-all [bug 2269580]


Created rstudio tracking bugs for this issue:

Affects: fedora-all [bug 2269579]
Comment 3 Marco Benatto 2024-03-14 18:38:44 UTC 
Public commit for this issue:
https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
Comment 4 Marco Benatto 2024-03-14 18:41:36 UTC 
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2269587]
Comment 7 errata-xmlrpc 2024-03-27 15:00:51 UTC 
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2024:1474 https://access.redhat.com/errata/RHSA-2024:1474
Comment 12 errata-xmlrpc 2024-05-23 06:40:17 UTC 
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316
Comment 13 errata-xmlrpc 2024-06-03 11:54:04 UTC 
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:3550 https://access.redhat.com/errata/RHSA-2024:3550
Comment 15 errata-xmlrpc 2024-06-10 18:37:24 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
Comment 16 errata-xmlrpc 2024-06-17 00:44:30 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868
Comment 18 errata-xmlrpc 2024-06-20 00:35:22 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989
Comment 19 errata-xmlrpc 2024-06-27 11:24:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
Comment 20 errata-xmlrpc 2024-07-24 16:18:43 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2024:4836 https://access.redhat.com/errata/RHSA-2024:4836
Comment 21 errata-xmlrpc 2024-09-26 03:48:21 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164
Comment 22 Borja Tarraso 2024-11-08 15:28:58 UTC 
This issue has been solved in ACM 2.10.2 via this public advisory https://access.redhat.com/errata/RHBA-2024:2034
Comment 23 Borja Tarraso 2024-11-08 15:42:47 UTC 
This issue has been solved in MCE 2.5.3 via this public advisory https://access.redhat.com/errata/RHBA-2024:2862
Note You need to log in before you can comment on or make changes to this bug.