SB2023101702 - Information disclosure in Undici

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2023-45143)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to software send Cookies in HTTP headers during cross-origin redirects. A remote attacker can gain unauthorized access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
• https://hackerone.com/reports/2166948
• https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
• https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76
• https://github.com/nodejs/undici/releases/tag/v5.26.2