Vulnerability Name: | CVE-2022-32210 (CCN-229253) | ||||||||||||
Assigned: | 2022-06-17 | ||||||||||||
Published: | 2022-06-17 | ||||||||||||
Updated: | 2022-07-25 | ||||||||||||
Summary: | `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server. | ||||||||||||
CVSS v3 Severity: | 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N) 5.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C)
4.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 4.3 Medium (CCN CVSS v2 Vector: AV:A/AC:H/Au:S/C:C/I:N/A:N)
| ||||||||||||
Vulnerability Type: | CWE-295 | ||||||||||||
Vulnerability Consequences: | Obtain Information | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2022-32210 Source: XF Type: UNKNOWN nodejs-cve202232210-info-disc(229253) Source: MISC Type: Exploit, Third Party Advisory https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 Source: MISC Type: Exploit, Issue Tracking, Third Party Advisory https://hackerone.com/reports/1583680 Source: CCN Type: SNYK-JS-UNDICI-2928996 Improper Certificate Validation Source: CCN Type: IBM Security Bulletin 6601261 (App Connect Enterprise Certified Container) IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-32210 Source: CCN Type: NPM Web site undici | ||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||
BACK |