{
  "threat_severity" : "Low",
  "public_date" : "2024-04-04T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",
    "id" : "2273522",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2273522"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-285",
  "details" : [ "Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.", "A flaw was found in the nodejs-undici package. Proxy-Authorization headers are not cleared on cross-origin redirects, which can allow for the exposure of sensitive data or allow an attacker to capture the persistent proxy-authentication header." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2024-09-12T00:00:00Z",
    "advisory" : "RHSA-2024:6667",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8",
    "package" : "devspaces/dashboard-rhel8:3.16-27"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "nodejs-undici",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-30260\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-30260" ],
  "name" : "CVE-2024-30260",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}