2121068 – (CVE-2022-35949) CVE-2022-35949 nodejs: undici.request vulnerable to SSRF

Bug 2121068 (CVE-2022-35949) - CVE-2022-35949 nodejs: undici.request vulnerable to SSRF

Summary: CVE-2022-35949 nodejs: undici.request vulnerable to SSRF

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-35949
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2121294
Blocks:	2120010
TreeView+	depends on / blocked

Reported:	2022-08-24 11:37 UTC by ybuenos
Modified:	2024-03-15 23:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:	undici 5.8.2
Doc Type:	If docs needed, set a value
Doc Text:	A Server-Side Request Forgery (SSRF) vulnerability was found in undici, a HTTP/1.1 client for Node.js. An attacker can manipulate the server-side application to make requests to an unintended location when they use the 'path/pathname' option in 'undici.request'.
Clone Of:
Environment:
Last Closed:	2022-12-03 02:16:46 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:7276	0	None	None	None	2022-11-01 16:53:20 UTC

Description ybuenos 2022-08-24 11:37:06 UTC

The undici up to version 5.8.3, is vulnerable to Server-side Request Forgery (SSRF). When an application takes the user input into the 'path/pathname' option of 'undici.request' attacker can induce the server-side application to make unintented requests.

If a victim specifies a URL such as 'http://127.0.0.1' or '//127.0.0.1' instead of processing the request as 'http://example.org//127.0.0.1' (or 'http://example.org/http://127.0.0.1' when 'http://127.0.0.1 is used'), it actually processes the request as 'http://127.0.0.1/' and sends it to 'http://127.0.0.1'. If a developer passes in user input into 'path' parameter of 'undici.request', it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.

Comment 3 errata-xmlrpc 2022-11-01 16:53:18 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:7276 https://access.redhat.com/errata/RHSA-2022:7276

Comment 4 Product Security DevOps Team 2022-12-03 02:16:44 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-35949

Note You need to log in before you can comment on or make changes to this bug.