Improper Authorization Affecting org.webjars.npm:undici package, versions [,5.28.4)


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.09% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGWEBJARSNPM-6591105
  • published15 Apr 2024
  • disclosed4 Apr 2024
  • creditLinzi Shang

Introduced: 4 Apr 2024

CVE-2024-30260  (opens in a new tab)
CWE-285  (opens in a new tab)

How to fix?

Upgrade org.webjars.npm:undici to version 5.28.4 or higher.

Overview

org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Improper Authorization due to improper handling of Proxy-Authorization headers during cross-origin redirects in certain methods. An attacker can exploit this behavior by inducing a victim to make a request that triggers a cross-origin redirect, potentially leaking sensitive information contained in the Proxy-Authorization header.

CVSS Base Scores

version 3.1