More information
#### Details
When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
#### Severity
- CVSS Score: 6.1 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2022-1365](https://nvd.nist.gov/vuln/detail/CVE-2022-1365)
- [https://github.com/lquixada/cross-fetch/pull/135](https://togithub.com/lquixada/cross-fetch/pull/135)
- [https://github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a](https://togithub.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a)
- [https://github.com/lquixada/cross-fetch](https://togithub.com/lquixada/cross-fetch)
- [https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac](https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7gc6-qh9x-w6h8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
Release Notes
lquixada/cross-fetch (cross-fetch)
### [`v3.1.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.5)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5)
#### What's Changed
- chore: updated node-fetch version to 2.6.7 by [@dlafreniere](https://togithub.com/dlafreniere) in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124)
#### New Contributors
- [@dlafreniere](https://togithub.com/dlafreniere) made their first contribution in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124)
**Full Changelog**: https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5
### [`v3.1.4`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.4)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.3...v3.1.4)
🐞 fixed typescript errors.
### [`v3.1.3`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.3)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.2...v3.1.3)
🐞 fixed typescript compilation error causing [#95](https://togithub.com/lquixada/cross-fetch/issues/95), [#101](https://togithub.com/lquixada/cross-fetch/issues/101), [#102](https://togithub.com/lquixada/cross-fetch/issues/102).
### [`v3.1.2`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.2)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.1...v3.1.2)
🐞 added missing Headers interface augmentation from lib.dom.iterable.d.ts ([#97](https://togithub.com/lquixada/cross-fetch/issues/97))
### [`v3.1.1`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.1)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.0...v3.1.1)
🐞 fixed missing fetch api types from constructor signatures [#96](https://togithub.com/lquixada/cross-fetch/issues/96) (thanks [@jstewmon](https://togithub.com/jstewmon))
### [`v3.1.0`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.0)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.6...v3.1.0)
⚡️ improved TypeScript support with own fetch API type definitions (thanks [@jstewmon](https://togithub.com/jstewmon))
⚡️ set `fetch.ponyfill` to `true` when custom ponyfill implementation is used.
💡 set the same fetch API test suite to run against `node-fetch`, `whatwg-fetch` and native fetch.
### [`v3.0.6`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.6)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.5...v3.0.6)
⚡️ updated node-fetch to 2.6.1
### [`v3.0.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.5)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.4...v3.0.5)
⚡️ whatwg-fetch is not a prod dependency anymore ([#63](https://togithub.com/lquixada/cross-fetch/issues/63))
⚡️ updated all dev dependencies.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
3.0.4
->3.1.5
3.0.6
->3.1.5
Incorrect Authorization in cross-fetch
CVE-2022-1365 / GHSA-7gc6-qh9x-w6h8
More information
#### Details When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie . #### Severity - CVSS Score: 6.1 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-1365](https://nvd.nist.gov/vuln/detail/CVE-2022-1365) - [https://github.com/lquixada/cross-fetch/pull/135](https://togithub.com/lquixada/cross-fetch/pull/135) - [https://github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a](https://togithub.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a) - [https://github.com/lquixada/cross-fetch](https://togithub.com/lquixada/cross-fetch) - [https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac](https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7gc6-qh9x-w6h8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).GitHub Vulnerability Alerts
CVE-2022-1365
When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
Release Notes
lquixada/cross-fetch (cross-fetch)
### [`v3.1.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.5) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5) #### What's Changed - chore: updated node-fetch version to 2.6.7 by [@dlafreniere](https://togithub.com/dlafreniere) in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124) #### New Contributors - [@dlafreniere](https://togithub.com/dlafreniere) made their first contribution in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124) **Full Changelog**: https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5 ### [`v3.1.4`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.4) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.3...v3.1.4) 🐞 fixed typescript errors. ### [`v3.1.3`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.3) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.2...v3.1.3) 🐞 fixed typescript compilation error causing [#95](https://togithub.com/lquixada/cross-fetch/issues/95), [#101](https://togithub.com/lquixada/cross-fetch/issues/101), [#102](https://togithub.com/lquixada/cross-fetch/issues/102). ### [`v3.1.2`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.2) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.1...v3.1.2) 🐞 added missing Headers interface augmentation from lib.dom.iterable.d.ts ([#97](https://togithub.com/lquixada/cross-fetch/issues/97)) ### [`v3.1.1`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.1) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.0...v3.1.1) 🐞 fixed missing fetch api types from constructor signatures [#96](https://togithub.com/lquixada/cross-fetch/issues/96) (thanks [@jstewmon](https://togithub.com/jstewmon)) ### [`v3.1.0`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.0) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.6...v3.1.0) ⚡️ improved TypeScript support with own fetch API type definitions (thanks [@jstewmon](https://togithub.com/jstewmon)) ⚡️ set `fetch.ponyfill` to `true` when custom ponyfill implementation is used. 💡 set the same fetch API test suite to run against `node-fetch`, `whatwg-fetch` and native fetch. ### [`v3.0.6`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.6) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.5...v3.0.6) ⚡️ updated node-fetch to 2.6.1 ### [`v3.0.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.5) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.4...v3.0.5) ⚡️ whatwg-fetch is not a prod dependency anymore ([#63](https://togithub.com/lquixada/cross-fetch/issues/63)) ⚡️ updated all dev dependencies.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.