GHSA-9qxr-qj54-h672

Source

https://github.com/advisories/GHSA-9qxr-qj54-h672

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-9qxr-qj54-h672/GHSA-9qxr-qj54-h672.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9qxr-qj54-h672

Aliases

CVE-2024-30261

Related

CVE-2024-30261

Published

2024-04-04T14:20:54Z

Modified

2024-04-20T00:31:52Z

Severity

2.6 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Details

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

Database specific

{
    "nvd_published_at": "2024-04-04T15:15:39Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-04T14:20:54Z"
}

References

Affected packages

npm / undici

Package

Name: undici; View open source insights on deps.dev
Purl: pkg:npm/undici

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.28.4