CVE-2024-28849

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions follow-redirects versions prior to 1.15.6

Description The issue is related to insufficient protection of sensitive data in the follow-redirects module, which is a drop-in replacement for Node's http and https modules. This module automatically follows redirects but only clears the authorization header during cross-domain redirects, keeping the proxy-authentication header that contains credentials. This may lead to credentials leak. There are no known workarounds for this issue.

Recommendations For versions prior to 1.15.6, upgrade to version 1.15.6 to address the issue. As a temporary workaround, consider removing the proxy-authentication header during cross-domain redirects.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

AZL-36895

AZL-43861

AZL-44493

BDU:2024-02610

CVE-2024-28849

GHSA-CXJH-PQWP-8MFP

OPENSUSE-SU-2024:13830-1

RHSA-2024:3781

USN-8217-1

Affected Products

Debian

Linuxmint

Ubuntu

Follow-Redirects

CVE-2024-28849

Weakness Enumeration

Related Identifiers

Affected Products

References · 34