CVE-2023-45143 — LOW (3.9) — White Hats Nepal

Q: How severe is CVE-2023-45143?

CVE-2023-45143 has been rated LOW with a CVSS base score of 3.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-45143?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Undici, Fedoraproject Fedora.

Vulnerability Description

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

CVSS Score

3.9

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Nodejs	Undici	< 5.26.2
Fedoraproject	Fedora	37

Related Weaknesses (CWE)

CWE-200

References

https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76Patch
https://github.com/nodejs/undici/releases/tag/v5.26.2Release Notes
https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qpNot Applicable
https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2gVendor Advisory
https://hackerone.com/reports/2166948Permissions Required
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76Patch
https://github.com/nodejs/undici/releases/tag/v5.26.2Release Notes
https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qpNot Applicable
https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2gVendor Advisory

FAQ

What is CVE-2023-45143?

CVE-2023-45143 is a vulnerability with a CVSS score of 3.9 (LOW). Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By d...

How severe is CVE-2023-45143?

CVE-2023-45143 has been rated LOW with a CVSS base score of 3.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-45143?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Undici, Fedoraproject Fedora.