CVE-2022-32210

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-32210

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-32210.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-32210

Aliases

GHSA-pgw7-wx7w-2w33

Related

GHSA-pgw7-wx7w-2w33

Published

2022-07-14T15:15:08Z

Modified

2025-01-08T08:52:06.999572Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

[none]

Details

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

References

Affected packages

Debian:12 / node-undici

Package

Name: node-undici
Purl: pkg:deb/debian/node-undici?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.1+dfsg1+~cs18.9.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-undici

Package

Name: node-undici
Purl: pkg:deb/debian/node-undici?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.1+dfsg1+~cs18.9.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/nodejs/undici

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/undici
Events: Introduced

7b03c91cefbb46cd9172db4b2758b34155b4f764

Fixed

19563f76ad38a8b4b2b1bfc78957c384775686e3

Affected versions

v4.*

v4.10.0

v4.10.1

v4.10.2

v4.10.3

v4.10.4

v4.11.0

v4.11.1

v4.11.2

v4.11.3

v4.12.0

v4.12.2

v4.13.0

v4.14.0

v4.14.1

v4.15.0

v4.15.1

v4.16.0

v4.8.2

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v4.9.4

v4.9.5

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.2.0

v5.3.0

v5.4.0

v5.5.0