{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47404?format=json","vulnerability_id":"VCID-kqg3-sar6-b7em","summary":"Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline\nUndici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.","aliases":[{"alias":"CVE-2024-30260"},{"alias":"GHSA-m4v8-wqvr-p9f7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69651?format=json","purl":"pkg:npm/undici@5.28.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.4"},{"url":"http://public2.vulnerablecode.io/api/packages/69652?format=json","purl":"pkg:npm/undici@6.11.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68976?format=json","purl":"pkg:npm/undici@6.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7axr-j2xk-cugt"},{"vulnerability":"VCID-gtpw-gdtw-y3an"},{"vulnerability":"VCID-kqg3-sar6-b7em"},{"vulnerability":"VCID-p6ay-wzxh-qugg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.0.0"}],"references":[{"reference_url":"https://github.com/nodejs/undici","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici"},{"reference_url":"https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"},{"reference_url":"https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75"},{"reference_url":"https://hackerone.com/reports/2408074","reference_id":"","reference_type":"","scores":[],"url":"https://hackerone.com/reports/2408074"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240905-0008","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240905-0008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30260","reference_id":"CVE-2024-30260","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30260"},{"reference_url":"https://github.com/advisories/GHSA-m4v8-wqvr-p9f7","reference_id":"GHSA-m4v8-wqvr-p9f7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m4v8-wqvr-p9f7"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7","reference_id":"GHSA-m4v8-wqvr-p9f7","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7"}],"weaknesses":[{"cwe_id":200,"name":"Exposure of Sensitive Information to an Unauthorized Actor","description":"The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information."},{"cwe_id":285,"name":"Improper Authorization","description":"The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action."},{"cwe_id":863,"name":"Incorrect Authorization","description":"The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kqg3-sar6-b7em"}