Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/47025?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47025?format=api", "vulnerability_id": "VCID-p6ay-wzxh-qugg", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nUndici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but does not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "aliases": [ { "alias": "CVE-2024-24758" }, { "alias": "GHSA-3787-6prv-h9w3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68980?format=api", "purl": "pkg:npm/undici@5.28.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/68978?format=api", "purl": "pkg:npm/undici@6.6.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68979?format=api", "purl": "pkg:npm/undici@5.28.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-p6ay-wzxh-qugg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/68976?format=api", "purl": "pkg:npm/undici@6.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7axr-j2xk-cugt" }, { "vulnerability": "VCID-gtpw-gdtw-y3an" }, { "vulnerability": "VCID-kqg3-sar6-b7em" }, { "vulnerability": "VCID-p6ay-wzxh-qugg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/68977?format=api", "purl": "pkg:npm/undici@6.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gtpw-gdtw-y3an" }, { "vulnerability": "VCID-p6ay-wzxh-qugg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.0" } ], "references": [ { "reference_url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef" }, { "reference_url": "https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458" }, { "reference_url": "https://github.com/nodejs/undici/releases/tag/v5.28.3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/releases/tag/v5.28.3" }, { "reference_url": "https://github.com/nodejs/undici/releases/tag/v6.6.1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/releases/tag/v6.6.1" }, { "reference_url": "https://github.com/advisories/GHSA-3787-6prv-h9w3", "reference_id": "GHSA-3787-6prv-h9w3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3787-6prv-h9w3" }, { "reference_url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", "reference_id": "GHSA-3787-6prv-h9w3", "reference_type": "", "scores": [], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 200, "name": "Exposure of Sensitive Information to an Unauthorized Actor", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p6ay-wzxh-qugg" }