{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47025?format=json","vulnerability_id":"VCID-p6ay-wzxh-qugg","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nUndici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but does not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":[{"alias":"CVE-2024-24758"},{"alias":"GHSA-3787-6prv-h9w3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68980?format=json","purl":"pkg:npm/undici@5.28.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.3"},{"url":"http://public2.vulnerablecode.io/api/packages/68978?format=json","purl":"pkg:npm/undici@6.6.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68979?format=json","purl":"pkg:npm/undici@5.28.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p6ay-wzxh-qugg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.2"},{"url":"http://public2.vulnerablecode.io/api/packages/68976?format=json","purl":"pkg:npm/undici@6.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7axr-j2xk-cugt"},{"vulnerability":"VCID-gtpw-gdtw-y3an"},{"vulnerability":"VCID-kqg3-sar6-b7em"},{"vulnerability":"VCID-p6ay-wzxh-qugg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68977?format=json","purl":"pkg:npm/undici@6.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gtpw-gdtw-y3an"},{"vulnerability":"VCID-p6ay-wzxh-qugg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.6.0"}],"references":[{"reference_url":"https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef"},{"reference_url":"https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458"},{"reference_url":"https://github.com/nodejs/undici/releases/tag/v5.28.3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/releases/tag/v5.28.3"},{"reference_url":"https://github.com/nodejs/undici/releases/tag/v6.6.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/releases/tag/v6.6.1"},{"reference_url":"https://github.com/advisories/GHSA-3787-6prv-h9w3","reference_id":"GHSA-3787-6prv-h9w3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3787-6prv-h9w3"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3","reference_id":"GHSA-3787-6prv-h9w3","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":200,"name":"Exposure of Sensitive Information to an Unauthorized Actor","description":"The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p6ay-wzxh-qugg"}