Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-7axr-j2xk-cugt

Summary

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.

Aliases

alias	CVE-2024-30261

alias	GHSA-9qxr-qj54-h672

Fixed_packages

url	pkg:npm/undici@5.28.4
purl	pkg:npm/undici@5.28.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.4

url	pkg:npm/undici@6.11.1
purl	pkg:npm/undici@6.11.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1

Affected_packages

url pkg:npm/undici@6.0.0

purl pkg:npm/undici@6.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7axr-j2xk-cugt

vulnerability	VCID-gtpw-gdtw-y3an

vulnerability	VCID-kqg3-sar6-b7em

vulnerability	VCID-p6ay-wzxh-qugg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.0.0

References

reference_url	https://github.com/nodejs/undici
reference_id
reference_type
scores
url	https://github.com/nodejs/undici

reference_url	https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
reference_id
reference_type
scores
url	https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055

reference_url	https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
reference_id
reference_type
scores
url	https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3

reference_url	https://hackerone.com/reports/2377760
reference_id
reference_type
scores
url	https://hackerone.com/reports/2377760

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E

reference_url	https://security.netapp.com/advisory/ntap-20240905-0008
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20240905-0008

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2024-30261
reference_id	CVE-2024-30261
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2024-30261

reference_url	https://github.com/advisories/GHSA-9qxr-qj54-h672
reference_id	GHSA-9qxr-qj54-h672
reference_type
scores
url	https://github.com/advisories/GHSA-9qxr-qj54-h672

reference_url	https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
reference_id	GHSA-9qxr-qj54-h672
reference_type
scores
url	https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672

Weaknesses

cwe_id	284
name	Improper Access Control
description	The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7axr-j2xk-cugt

Vulnerability Instance