Bug 2269576 (CVE-2024-28849) - CVE-2024-28849 follow-redirects: Possible credential leak
Summary: CVE-2024-28849 follow-redirects: Possible credential leak
Keywords:
Status: NEW
Alias: CVE-2024-28849
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2269578 2269579 2269583 2269585 2269587 2270188 2269577 2269580 2269584
Blocks: 2269586
TreeView+ depends on / blocked
 
Reported: 2024-03-14 18:20 UTC by Marco Benatto
Modified: 2024-04-16 14:46 UTC (History)
142 users (show)

Fixed In Version: follow-redirects 1.15.6
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, `follow-redirects` clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a high impact on data confidentiality.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1474 0 None None None 2024-03-27 15:00:58 UTC

Description Marco Benatto 2024-03-14 18:20:55 UTC 
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

https://fetch.spec.whatwg.org/#authentication-entries
https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
https://github.com/psf/requests/issues/1885
https://hackerone.com/reports/2390009
Comment 1 Marco Benatto 2024-03-14 18:21:27 UTC 
Created cachelib tracking bugs for this issue:

Affects: fedora-all [bug 2269577]


Created fbthrift tracking bugs for this issue:

Affects: fedora-all [bug 2269578]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-all [bug 2269580]


Created rstudio tracking bugs for this issue:

Affects: fedora-all [bug 2269579]
Comment 3 Marco Benatto 2024-03-14 18:38:44 UTC 
Public commit for this issue:
https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b
Comment 4 Marco Benatto 2024-03-14 18:41:36 UTC 
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2269587]
Comment 7 errata-xmlrpc 2024-03-27 15:00:51 UTC 
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2024:1474 https://access.redhat.com/errata/RHSA-2024:1474
Note You need to log in before you can comment on or make changes to this bug.