PT-2023-4735 · Request+2 · Request+2
Szymondrosdzol
·
Published
2023-03-16
·
Updated
2024-08-02
·
CVE-2023-28155
CVSS v2.0
6.4
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Request package versions through 2.88.1
@cyprus/request package versions prior to 3.0.0
Description
The issue is related to insufficient validation of incoming requests, allowing a remote attacker to bypass SSRF mitigations via an attacker-controlled server that performs a cross-protocol redirect, such as from HTTP to HTTPS or vice versa. This affects products that are no longer supported by the maintainer.
Recommendations
For Request package versions through 2.88.1, consider updating to a version that is still supported by the maintainer, if available.
For @cyprus/request package versions prior to 3.0.0, update to version 3.0.0 or later.
As a temporary workaround, consider restricting access to the vulnerable package until a patch is available.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Cyprus/Request
Debian
Request