{
  "threat_severity" : "Low",
  "public_date" : "2024-04-04T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-undici: fetch() with integrity option is too lax when algorithm is specified but hash value is in incorrect",
    "id" : "2273519",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2273519"
  },
  "cvss3" : {
    "cvss3_base_score" : "2.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-284",
  "details" : [ "Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.", "A flaw was found in the nodejs-undici package. This issue may allow an attacker to alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered with." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2024-09-12T00:00:00Z",
    "advisory" : "RHSA-2024:6667",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8",
    "package" : "devspaces/dashboard-rhel8:3.16-27"
  }, {
    "product_name" : "Red Hat Developer Hub (RHDH) 1.4",
    "release_date" : "2025-02-27T00:00:00Z",
    "advisory" : "RHSA-2025:1931",
    "cpe" : "cpe:/a:redhat:rhdh:1.4::el9",
    "package" : "rhdh/rhdh-hub-rhel9:sha256:5eb109362246ccddd564febe6387bc6015d47555df00c36aa88c2247099851b7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "nodejs-undici",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Fix deferred",
    "package_name" : "org.keycloak-keycloak-parent",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-30261\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-30261" ],
  "name" : "CVE-2024-30261",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}