The undici up to version 5.8.3, is vulnerable to Server-side Request Forgery (SSRF). When an application takes the user input into the 'path/pathname' option of 'undici.request' attacker can induce the server-side application to make unintented requests. If a victim specifies a URL such as 'http://127.0.0.1' or '//127.0.0.1' instead of processing the request as 'http://example.org//127.0.0.1' (or 'http://example.org/http://127.0.0.1' when 'http://127.0.0.1 is used'), it actually processes the request as 'http://127.0.0.1/' and sends it to 'http://127.0.0.1'. If a developer passes in user input into 'path' parameter of 'undici.request', it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:7276 https://access.redhat.com/errata/RHSA-2022:7276
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-35949