PT-2023-4735 · Request+2 · Request+2

Szymondrosdzol

Publicado

2023-03-16

Atualizado

2024-08-02

CVE-2023-28155

CVSS v2.0

6.4

Média

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Request package versions through 2.88.1 @cyprus/request package versions prior to 3.0.0

Description The issue is related to insufficient validation of incoming requests, allowing a remote attacker to bypass SSRF mitigations via an attacker-controlled server that performs a cross-protocol redirect, such as from HTTP to HTTPS or vice versa. This affects products that are no longer supported by the maintainer.

Recommendations For Request package versions through 2.88.1, consider updating to a version that is still supported by the maintainer, if available. For @cyprus/request package versions prior to 3.0.0, update to version 3.0.0 or later. As a temporary workaround, consider restricting access to the vulnerable package until a patch is available.

Exploit

Correção

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-918

Identificadores relacionados

AZL-25664

AZL-43444

AZL-44241

BDU:2023-05169

CVE-2023-28155

GHSA-P8P7-X288-28G6

Produtos afetados

@Cyprus/Request

Debian

Request

PT-2023-4735 · Request+2 · Request+2

CVE-2023-28155

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 28