Description
### Exposure of Sensitive Information to an Unauthorized Actor
> The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
### NVD
> follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
### GitHub
> follow-redirects' Proxy-Authorization header kept across hosts
>
> When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
>
> Steps To Reproduce & PoC
>
> axios Test Code
>
> const axios = require('axios');
>
> axios.get('http://127.0.0.1:10081/',{
> headers: {
> 'AuThorization': 'Rear Test',
> 'ProXy-AuthoriZation': 'Rear Test',
> 'coOkie': 't=1'
> }
> }).then(function (response) {
> console.log(response);
> })
> When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
>
> Request sent by axios
>
> image-20240314130755052.png
> Request sent by follow-redirects after redirectimage-20240314130809838.png
>
> Impact
>
> This vulnerability may lead to credentials leak.
>
> Recommendations
>
> Remove proxy-authentication header during cross-domain redirect
> Recommended Patch
>
> follow-redirects/index.js:464
>
> removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
> change to
>
> removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
> Ref
>
> https://fetch.spec.whatwg.org/#authentication-entries
> https://hackerone.com/reports/2390009
CVSS details - 6.5
|CVSS3 metrics||
|:-|:-|
|Attack Vector|**Network**|
|Attack Complexity|**Low**|
|Privileges Required|**Low**|
|User interaction|**None**|
|Scope|**Unchanged**|
|Confidentiality|**High**|
|Integrity|**None**|
|Availability|**None**|
References
[NVD - CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)[](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)
[THIRD PARTY](https://github.com/advisories/GHSA-cxjh-pqwp-8mfp)[](https://github.com/advisories/GHSA-cxjh-pqwp-8mfp)
[Drop Proxy-Authorization across hosts. · follow-redirects/follow-redirects@c4f847f · GitHub](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)[](https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b)
[Fetch Standard](https://fetch.spec.whatwg.org/#authentication-entries)[](https://fetch.spec.whatwg.org/#authentication-entries)
[Redirect can expose netrc password · Issue #1885 · psf/requests · GitHub](https://github.com/psf/requests/issues/1885)[](https://github.com/psf/requests/issues/1885)
[Proxy-Authorization header kept across hosts · Advisory · follow-redirects/follow-redirects · GitHub](https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp)[](https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp)
[HackerOne](https://hackerone.com/reports/2390009)[](https://hackerone.com/reports/2390009)
[[SECURITY] Fedora 40 Update: pgadmin4-8.4-2.fc40 - package-announce - Fedora Mailing-Lists](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/)[](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z/)
CVE–2024–28849
Vulnerability details
Description
### Exposure of Sensitive Information to an Unauthorized Actor > The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. ### NVD > follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. ### GitHub > follow-redirects' Proxy-Authorization header kept across hosts > > When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too. > > Steps To Reproduce & PoC > > axios Test Code > > const axios = require('axios'); > > axios.get('http://127.0.0.1:10081/',{ > headers: { > 'AuThorization': 'Rear Test', > 'ProXy-AuthoriZation': 'Rear Test', > 'coOkie': 't=1' > } > }).then(function (response) { > console.log(response); > }) > When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept. > > Request sent by axios > > image-20240314130755052.png > Request sent by follow-redirects after redirectimage-20240314130809838.png > > Impact > > This vulnerability may lead to credentials leak. > > Recommendations > > Remove proxy-authentication header during cross-domain redirect > Recommended Patch > > follow-redirects/index.js:464 > > removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); > change to > > removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers); > Ref > > https://fetch.spec.whatwg.org/#authentication-entries > https://hackerone.com/reports/2390009CVSS details -
6.5
|CVSS3 metrics|| |:-|:-| |Attack Vector|**Network**| |Attack Complexity|**Low**| |Privileges Required|**Low**| |User interaction|**None**| |Scope|**Unchanged**| |Confidentiality|**High**| |Integrity|**None**| |Availability|**None**|References
[NVD - CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)[Related information
:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE