Bug 1222530 (CVE-2024-30260)

Summary: VUL-0: CVE-2024-30260: nodejs, nodejs-electron: undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: brunopitrus, camila.matos, dheidler
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/400392/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-30260:3.1:(AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-09 10:03:12 UTC 
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-30260
https://www.cve.org/CVERecord?id=CVE-2024-30260
https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
https://bugzilla.redhat.com/show_bug.cgi?id=2273522
Comment 2 Camila Camargo de Matos 2024-04-09 10:17:53 UTC 
Commit 64e3402d contains the fix for undici versions 5.x, while commit 68057466 contains the fix for 6.11.0.
Comment 3 Bruno Pitrus 2024-04-09 16:39:16 UTC 
commit 64e3402d also contains a giant refactor that is impossible to backport due to an amalgamated version of undici being present in the nodejs tree…

Looks like just adding 'proxy-authorization' below the previous two headers should be a simpler fix.
Comment 4 Adam Majer 2024-04-10 08:12:12 UTC 
(In reply to Bruno Pitrus from comment #3)
> commit 64e3402d also contains a giant refactor that is impossible to
> backport due to an amalgamated version of undici being present in the nodejs
> tree…
> 
> Looks like just adding 'proxy-authorization' below the previous two headers
> should be a simpler fix.

Sadly it's generated code and the src/ in node tree is just for reference :(

The simplest is to do a version update by applying https://github.com/nodejs/node/pull/52328

This version update also fixes CVE-2024-30261 via 
https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
Comment 5 OBSbugzilla Bot 2024-04-10 09:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1222530) was mentioned in
https://build.opensuse.org/request/show/1166607 Factory / nodejs21
Comment 6 OBSbugzilla Bot 2024-04-10 11:35:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1222530) was mentioned in
https://build.opensuse.org/request/show/1166624 Factory / nodejs20
Comment 7 Bruno Pitrus 2024-04-10 13:44:57 UTC 
Pulling bulk update commits probably won't help for electron because their copy of node does not match the head of the relevant node branch.
Comment 8 Adam Majer 2024-04-11 08:22:52 UTC 
(In reply to Bruno Pitrus from comment #7)
> Pulling bulk update commits probably won't help for electron because their
> copy of node does not match the head of the relevant node branch.

In this case, it's best to just wait for upstream to update. Electron is not really affected here anyway, as this is mostly server related issue.
Comment 10 Maintenance Automation 2024-04-16 08:30:04 UTC 
SUSE-SU-2024:1301-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33347](https://smelt.suse.de/incident/33347/)
Sources used:
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.12.1-150500.11.9.2
openSUSE Leap 15.5 (src):
 nodejs20-20.12.1-150500.11.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-04-16 12:30:08 UTC 
SUSE-SU-2024:1309-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33350](https://smelt.suse.de/incident/33350/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.1-150400.9.21.3
openSUSE Leap 15.5 (src):
 nodejs18-18.20.1-150400.9.21.3
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Manager Server 4.3 (src):
 nodejs18-18.20.1-150400.9.21.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-04-16 12:30:13 UTC 
SUSE-SU-2024:1307-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33351](https://smelt.suse.de/incident/33351/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.1-8.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2024-05-29 16:30:08 UTC 
SUSE-SU-2024:1837-1: An update that solves two vulnerabilities can now be installed.

Category: security (low)
Bug References: 1222530, 1222603
CVE References: CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:34067](https://smelt.suse.de/incident/34067/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs16-16.20.2-150400.3.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2024-05-29 16:30:11 UTC 
SUSE-SU-2024:1836-1: An update that solves two vulnerabilities can now be installed.

Category: security (low)
Bug References: 1222530, 1222603
CVE References: CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:34069](https://smelt.suse.de/incident/34069/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs16-16.20.2-8.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.