PT-2022-13124 · Unknown · Simple-Get

Published

2022-01-26

Updated

2024-06-15

CVE-2022-0355

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions simple-get versions prior to 4.0.1

Description The issue concerns the exposure of sensitive information, specifically session cookies, to unauthorized parties when fetching remote URLs with cookie location responses. This occurs because headers are followed, potentially leading to the disclosure of sensitive information.

Recommendations For versions prior to 4.0.1, update to version 4.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the simple-get module to minimize the risk of exploitation. Avoid using simple-get to fetch remote URLs with cookie location responses until the issue is resolved.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-212

Related Identifiers

CVE-2022-0355

GHSA-WPG7-2C88-R8XV

OPENSUSE-SU-2024:12718-1

Affected Products

Simple-Get

PT-2022-13124 · Unknown · Simple-Get

CVE-2022-0355

Weakness Enumeration

Related Identifiers

Affected Products

References · 14