Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/undici@6.0.0
Typenpm
Namespace
Nameundici
Version6.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.6.1
Latest_non_vulnerable_version7.18.2
Affected_by_vulnerabilities
0
url VCID-7axr-j2xk-cugt
vulnerability_id VCID-7axr-j2xk-cugt
summary 
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.
references
0
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
url https://github.com/nodejs/undici
1
reference_url https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
reference_id
reference_type
scores
url https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
2
reference_url https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
reference_id
reference_type
scores
url https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
3
reference_url https://hackerone.com/reports/2377760
reference_id
reference_type
scores
url https://hackerone.com/reports/2377760
4
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
5
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
7
reference_url https://security.netapp.com/advisory/ntap-20240905-0008
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240905-0008
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-30261
reference_id CVE-2024-30261
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-30261
9
reference_url https://github.com/advisories/GHSA-9qxr-qj54-h672
reference_id GHSA-9qxr-qj54-h672
reference_type
scores
url https://github.com/advisories/GHSA-9qxr-qj54-h672
10
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
reference_id GHSA-9qxr-qj54-h672
reference_type
scores
url https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
fixed_packages
0
url pkg:npm/undici@6.11.1
purl pkg:npm/undici@6.11.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1
aliases CVE-2024-30261, GHSA-9qxr-qj54-h672
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7axr-j2xk-cugt
1
url VCID-gtpw-gdtw-y3an
vulnerability_id VCID-gtpw-gdtw-y3an
summary 
Uncontrolled Resource Consumption
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.
references
0
reference_url https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663
reference_id
reference_type
scores
url https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663
1
reference_url https://github.com/nodejs/undici/releases/tag/v6.6.1
reference_id
reference_type
scores
url https://github.com/nodejs/undici/releases/tag/v6.6.1
2
reference_url https://github.com/advisories/GHSA-9f24-jqhm-jfcw
reference_id GHSA-9f24-jqhm-jfcw
reference_type
scores
url https://github.com/advisories/GHSA-9f24-jqhm-jfcw
3
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw
reference_id GHSA-9f24-jqhm-jfcw
reference_type
scores
url https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw
fixed_packages
0
url pkg:npm/undici@6.6.1
purl pkg:npm/undici@6.6.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1
aliases CVE-2024-24750, GHSA-9f24-jqhm-jfcw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gtpw-gdtw-y3an
2
url VCID-kqg3-sar6-b7em
vulnerability_id VCID-kqg3-sar6-b7em
summary 
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.
references
0
reference_url https://github.com/nodejs/undici
reference_id
reference_type
scores
url https://github.com/nodejs/undici
1
reference_url https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
reference_id
reference_type
scores
url https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
2
reference_url https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
reference_id
reference_type
scores
url https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
3
reference_url https://hackerone.com/reports/2408074
reference_id
reference_type
scores
url https://hackerone.com/reports/2408074
4
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
5
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
7
reference_url https://security.netapp.com/advisory/ntap-20240905-0008
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240905-0008
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-30260
reference_id CVE-2024-30260
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-30260
9
reference_url https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
reference_id GHSA-m4v8-wqvr-p9f7
reference_type
scores
url https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
10
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
reference_id GHSA-m4v8-wqvr-p9f7
reference_type
scores
url https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
fixed_packages
0
url pkg:npm/undici@6.11.1
purl pkg:npm/undici@6.11.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1
aliases CVE-2024-30260, GHSA-m4v8-wqvr-p9f7
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kqg3-sar6-b7em
3
url VCID-p6ay-wzxh-qugg
vulnerability_id VCID-p6ay-wzxh-qugg
summary 
Exposure of Sensitive Information to an Unauthorized Actor
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but does not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef
reference_id
reference_type
scores
url https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef
1
reference_url https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458
reference_id
reference_type
scores
url https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458
2
reference_url https://github.com/nodejs/undici/releases/tag/v5.28.3
reference_id
reference_type
scores
url https://github.com/nodejs/undici/releases/tag/v5.28.3
3
reference_url https://github.com/nodejs/undici/releases/tag/v6.6.1
reference_id
reference_type
scores
url https://github.com/nodejs/undici/releases/tag/v6.6.1
4
reference_url https://github.com/advisories/GHSA-3787-6prv-h9w3
reference_id GHSA-3787-6prv-h9w3
reference_type
scores
url https://github.com/advisories/GHSA-3787-6prv-h9w3
5
reference_url https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
reference_id GHSA-3787-6prv-h9w3
reference_type
scores
url https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
fixed_packages
0
url pkg:npm/undici@6.6.1
purl pkg:npm/undici@6.6.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1
aliases CVE-2024-24758, GHSA-3787-6prv-h9w3
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p6ay-wzxh-qugg
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/undici@6.0.0