{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47405?format=json","vulnerability_id":"VCID-7axr-j2xk-cugt","summary":"Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.","aliases":[{"alias":"CVE-2024-30261"},{"alias":"GHSA-9qxr-qj54-h672"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69651?format=json","purl":"pkg:npm/undici@5.28.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@5.28.4"},{"url":"http://public2.vulnerablecode.io/api/packages/69652?format=json","purl":"pkg:npm/undici@6.11.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.11.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68976?format=json","purl":"pkg:npm/undici@6.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7axr-j2xk-cugt"},{"vulnerability":"VCID-gtpw-gdtw-y3an"},{"vulnerability":"VCID-kqg3-sar6-b7em"},{"vulnerability":"VCID-p6ay-wzxh-qugg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/undici@6.0.0"}],"references":[{"reference_url":"https://github.com/nodejs/undici","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici"},{"reference_url":"https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"},{"reference_url":"https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"},{"reference_url":"https://hackerone.com/reports/2377760","reference_id":"","reference_type":"","scores":[],"url":"https://hackerone.com/reports/2377760"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240905-0008","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240905-0008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30261","reference_id":"CVE-2024-30261","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30261"},{"reference_url":"https://github.com/advisories/GHSA-9qxr-qj54-h672","reference_id":"GHSA-9qxr-qj54-h672","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9qxr-qj54-h672"},{"reference_url":"https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672","reference_id":"GHSA-9qxr-qj54-h672","reference_type":"","scores":[],"url":"https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"}],"weaknesses":[{"cwe_id":284,"name":"Improper Access Control","description":"The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7axr-j2xk-cugt"}