CVE-2022-0536 - OpenCVE

Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Follow-redirects Project	Follow-redirects

Configuration 1 [-]

cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445	Patch Third Party Advisory
https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-02-09T10:45:10

Updated: 2023-08-02T08:48:13.471Z

Reserved: 2022-02-08T00:00:00

Link: CVE-2022-0536

JSON object: View

NVD Information

Status : Modified

Published: 2022-02-09T11:15:08.647

Modified: 2023-08-02T09:15:11.677

Link: CVE-2022-0536

JSON object: View

Redhat Information

No data.

CWE

CWE-212

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "follow-redirects/follow-redirects", "vendor": "follow-redirects", "versions": [{"lessThan": "1.14.8", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.</p>"}], "value": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-212", "description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2023-08-02T08:48:13.471Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"}], "source": {"advisory": "7cf2bf90-52da-4d59-8028-a73b132de0db", "discovery": "EXTERNAL"}, "title": "Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-0536", "STATE": "PUBLIC", "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects/follow-redirects"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "follow-redirects/follow-redirects", "version": {"version_data": [{"version_affected": "<", "version_value": "1.14.8"}]}}]}, "vendor_name": "follow-redirects"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "ADJACENT", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"}, {"name": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445", "refsource": "MISC", "url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"}]}, "source": {"advisory": "7cf2bf90-52da-4d59-8028-a73b132de0db", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-0536", "datePublished": "2022-02-09T10:45:10", "dateReserved": "2022-02-08T00:00:00", "dateUpdated": "2023-08-02T08:48:13.471Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E236EBC1-2155-4EBB-9A6B-F456D8BB4766", "versionEndExcluding": "1.14.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\n\n"}, {"lang": "es", "value": "Una Exposici\u00f3n de Informaci\u00f3n Confidencial a un Actor no Autorizado en NPM follow-redirects versiones anteriores a 1.14.8"}], "id": "CVE-2022-0536", "lastModified": "2023-08-02T09:15:11.677", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2022-02-09T11:15:08.647", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"}, {"source": "security@huntr.dev", "tags": ["Third Party Advisory"], "url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-212"}], "source": "security@huntr.dev", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-212"}], "source": "nvd@nist.gov", "type": "Secondary"}]}