GHSA-cm5g-3pgc-8rg4

Source

https://github.com/advisories/GHSA-cm5g-3pgc-8rg4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-cm5g-3pgc-8rg4/GHSA-cm5g-3pgc-8rg4.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cm5g-3pgc-8rg4

Aliases

CVE-2024-10491

Published

2024-10-29T18:30:37Z

Modified

2024-12-19T17:52:09Z

Severity

4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Express ressource injection

Details

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.

The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and <> to preload malicious resources.

This vulnerability is especially relevant for dynamic parameters.

Database specific

{
    "nvd_published_at": "2024-10-29T17:15:03Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-25T21:31:20Z"
}

References

Affected packages

npm / express

Package

Name: express; View open source insights on deps.dev
Purl: pkg:npm/express

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.0-rc1

Database specific

{
    "last_known_affected_version_range": "<= 3.21.4"
}