Bugzilla – Bug 1216205
VUL-0: CVE-2023-45143: nodejs, nodejs-electron: cookie leakage in undici
Last modified: 2023-10-27 10:11:35 UTC
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45143
Tracking as affected: - SUSE:ALP:Source:Standard:1.0/nodejs20 (undici v5.23.0) - SUSE:SLE-12-SP5:Update/nodejs16 (undici v5.20.0) - SUSE:SLE-12-SP5:Update/nodejs18 (undici v5.22.1) - SUSE:SLE-15-SP3:Update/nodejs16 (undici v5.20.0) - SUSE:SLE-15-SP4:Update/nodejs16 (undici v5.20.0) - SUSE:SLE-15-SP4:Update/nodejs18 (undici v5.22.1) - SUSE:SLE-15-SP5:Update/nodejs18 (undici v5.22.1) - openSUSE:Factory/nodejs-electron (undici v5.20.0) - openSUSE:Factory/nodejs20 (undici v5.25.2) Upstream advisory: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g Upstream fix: https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76
This is an autogenerated message for OBS integration: This bug (1216205) was mentioned in https://build.opensuse.org/request/show/1118025 Factory / nodejs20
SUSE-SU-2023:4133-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: Web and Scripting Module 15-SP4 (src): nodejs18-18.18.2-150400.9.15.1 Web and Scripting Module 15-SP5 (src): nodejs18-18.18.2-150400.9.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4132-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: Web and Scripting Module 12 (src): nodejs18-18.18.2-8.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4150-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: Web and Scripting Module 12 (src): nodejs16-16.20.2-8.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4155-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: Web and Scripting Module 15-SP4 (src): nodejs16-16.20.2-150400.3.27.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I noticed you've decided to upgrade undici wholesale in nodejs16: https://build.opensuse.org/package/view_file/devel:languages:nodejs/nodejs16/CVE-2023-45143.patch?expand=1 whereas i've only backported the specific patch to electron: https://build.opensuse.org/package/view_file/openSUSE:Factory/nodejs-electron/CVE-2023-45143-undici-cookie-leakage.patch?expand=1 Do you think that's ok Adam? [I don't know if the node testsuite does test undici, and i don't run it anyway for electron]
I basically just followed what upstream NodeJS has done in this case. There are 2 or 3 bundled deps in nodejs these days that are a real pain to patch and undici is one of these. I've complained about this upstream some time ago, but solution is ... complicated, https://github.com/nodejs/node/issues/42199 If you look at the sources, https://github.com/nodejs/node/tree/main/deps/undici you will find that these are not actually used. They are just the reference version. You then have to build the actual undici.js , which will include things like WASM binary inside it. Looking in the sources of package.json of the undici package, https://github.com/nodejs/node/blob/main/deps/undici/src/package.json#L73-L75 So the patch is OK. But you'll have to rebuild undici in this case. Worse, the entire ecosystem is built like this. It's a can of worms that you don't want to touch too much or it will unravel like Pandora's Box and we don't get too much benefit from unraveling it anyway :-) Unbundling these deps would be beneficial but we can't just stick them inside RPMs.
Well this vulnerability does not affect the serialized WASM binary in `require_llhttp_wasm`, only code that is pasted near-verbatim in the amalgamation. Closing this as all tracked packages are patched now
(In reply to Bruno Pitrus from comment #15) > Well this vulnerability does not affect the serialized WASM binary in > `require_llhttp_wasm`, only code that is pasted near-verbatim in the > amalgamation. > > Closing this as all tracked packages are patched now just FYI, but the amalgamation is not rebuilt for undici. So you have to patch the amalgamation.
i do patch it — see https://build.opensuse.org/package/view_file/home:dziobian:gulgul-ultron:19/nodejs-electron/CVE-2023-45143-undici-cookie-leakage.patch?expand=1 the amalgamation is in third_party/electron_node/deps/undici/undici.js
SUSE-SU-2023:4207-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: openSUSE Leap 15.3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Manager Server 4.2 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Enterprise Storage 7.1 (src): nodejs16-16.20.2-150300.7.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.