Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE–2022–1650 #109

Closed
wants to merge 1 commit into from
Closed

Fix CVE–2022–1650 #109

wants to merge 1 commit into from

Conversation

debricked[bot]
Copy link
Contributor

@debricked debricked bot commented Jun 20, 2022

CVE–2022–1650

Vulnerable dependency:     eventsource (npm)    1.0.7

Vulnerability details

Description

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

NVD

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

GitHub

Exposure of Sensitive Information in eventsource

When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."

CVSS details - 9.3

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None
References

    Exposure of Sensitive Information in eventsource · CVE-2022-1650 · GitHub Advisory Database · GitHub
    THIRD PARTY
    fix: strip sensitive headers on redirect to different origin · EventSource/eventsource@10ee0c4 · GitHub
    Exposure of Sensitive Information to an Unauthorized Actor vulnerability found in eventsource
    eventsource/eventsource.js at 82e034389bd2c08d532c63172b8e858c5b185338 · EventSource/eventsource · GitHub
    fix: strip sensitive headers on redirect to different origin · EventSource/eventsource@f9f6416 · GitHub
    Who to contact for security issues · Issue #244 · EventSource/eventsource · GitHub
    GitHub - EventSource/eventsource: EventSource client for Node.js and Browser (polyfill)
    Comparing EventSource:HEAD...sampaguitas:master · EventSource/eventsource · GitHub
    Who to contact for security issues · Issue #244 · EventSource/eventsource · GitHub
    Fix: strip sensitive headers on redirect to different origin by rexxars · Pull Request #273 · EventSource/eventsource · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

@AramAlsabti
Copy link
Contributor

Duplicate of #108

@AramAlsabti AramAlsabti marked this as a duplicate of #108 Sep 21, 2022
@ramogens-OS2 ramogens-OS2 deleted the debricked-fix-CVE_2022_1650-6117e3c3dcbf91ff branch November 14, 2023 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@AramAlsabti