Bugzilla – Bug 1220017
VUL-0: CVE-2024-24758: nodejs16,nodejs18,nodejs20: ignore proxy-authorization header
Last modified: 2024-06-06 12:21:40 UTC
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/ undici 5.28.3 on all release lines (CVE-2024-24758, GHSA-3787-6prv-h9w3). https://github.com/nodejs/node/commit/f48b89689d removes the proxy-authorization header from passed headers
https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers. Patches This is patched in v5.28.3 and v6.6.1 Workarounds There are no known workarounds. References https://fetch.spec.whatwg.org/#authentication-entries GHSA-wqq4-5wpv-mx2g
This is an autogenerated message for OBS integration: This bug (1220017) was mentioned in https://build.opensuse.org/request/show/1147152 Factory / nodejs20 https://build.opensuse.org/request/show/1147153 Factory / nodejs21
SUSE-SU-2024:0644-1: An update that solves six vulnerabilities can now be installed. Category: security (important) Bug References: 1219724, 1219992, 1219993, 1219997, 1220014, 1220017 CVE References: CVE-2023-46809, CVE-2024-21892, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: Web and Scripting Module 12 (src): nodejs18-18.19.1-8.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0643-1: An update that solves 10 vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1219152, 1219724, 1219992, 1219993, 1219994, 1219995, 1219997, 1219998, 1219999, 1220014, 1220017 CVE References: CVE-2023-46809, CVE-2024-21890, CVE-2024-21891, CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: openSUSE Leap 15.5 (src): nodejs20-20.11.1-150500.11.6.1 Web and Scripting Module 15-SP5 (src): nodejs20-20.11.1-150500.11.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0731-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1219993, 1219997, 1220014, 1220017, 1220053 CVE References: CVE-2023-46809, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: Web and Scripting Module 12 (src): nodejs16-16.20.2-8.39.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0730-1: An update that solves six vulnerabilities can now be installed. Category: security (important) Bug References: 1219724, 1219992, 1219993, 1219997, 1220014, 1220017 CVE References: CVE-2023-46809, CVE-2024-21892, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): nodejs18-18.19.1-150400.9.18.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): nodejs18-18.19.1-150400.9.18.2 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): nodejs18-18.19.1-150400.9.18.2 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): nodejs18-18.19.1-150400.9.18.2 SUSE Manager Server 4.3 (src): nodejs18-18.19.1-150400.9.18.2 openSUSE Leap 15.4 (src): nodejs18-18.19.1-150400.9.18.2 openSUSE Leap 15.5 (src): nodejs18-18.19.1-150400.9.18.2 Web and Scripting Module 15-SP5 (src): nodejs18-18.19.1-150400.9.18.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0729-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1219993, 1219997, 1220014, 1220017, 1220053 CVE References: CVE-2023-46809, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: openSUSE Leap 15.3 (src): nodejs16-16.20.2-150300.7.33.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs16-16.20.2-150300.7.33.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs16-16.20.2-150300.7.33.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs16-16.20.2-150300.7.33.1 SUSE Enterprise Storage 7.1 (src): nodejs16-16.20.2-150300.7.33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0728-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1219993, 1219997, 1220014, 1220017, 1220053 CVE References: CVE-2023-46809, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: openSUSE Leap 15.4 (src): nodejs16-16.20.2-150400.3.30.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): nodejs16-16.20.2-150400.3.30.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): nodejs16-16.20.2-150400.3.30.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): nodejs16-16.20.2-150400.3.30.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): nodejs16-16.20.2-150400.3.30.1 SUSE Manager Server 4.3 (src): nodejs16-16.20.2-150400.3.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed and released.