Server-Side Request Forgery in Request #30

New Issue

Closed

opened 2023-08-01 04:45:07 +00:00 by argoyle · 0 comments

argoyle commented 2023-08-01 04:45:07 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for @cypress/request in path: /, manifest_file: /package.json but was unable to update it! ⚠️

• https://github.com/advisories/GHSA-p8p7-x288-28g6

Package	Severity	Affected versions	Patched versions	IDs
@cypress/request (NPM)	MODERATE	<= 2.88.11		GHSA-p8p7-x288-28g6,CVE-2023-28155

Description

The request package through 2.88.2 for Node.js and the @cypress/request package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-28155
• https://github.com/request/request/issues/3442
• https://github.com/request/request/pull/3444
• https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
• https://security.netapp.com/advisory/ntap-20230413-0007/
• https://github.com/github/advisory-database/pull/2500
• https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116
• https://github.com/request/request/blob/master/lib/redirect.js#L111
• https://github.com/advisories/GHSA-p8p7-x288-28g6

⚠️ `dependabot-gitlab` has detected security vulnerability for `@cypress/request` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-p8p7-x288-28g6 | Package | Severity | Affected versions | Patched versions | IDs | |------------------------|----------|-------------------|------------------|----------------------------------------| | @cypress/request (NPM) | MODERATE | <= 2.88.11 | | `GHSA-p8p7-x288-28g6`,`CVE-2023-28155` | # Description The `request` package through 2.88.2 for Node.js and the `@cypress/request` package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: The `request` package is no longer supported by the maintainer. # References * https://nvd.nist.gov/vuln/detail/CVE-2023-28155 * https://github.com/request/request/issues/3442 * https://github.com/request/request/pull/3444 * https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf * https://security.netapp.com/advisory/ntap-20230413-0007/ * https://github.com/github/advisory-database/pull/2500 * https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116 * https://github.com/request/request/blob/master/lib/redirect.js#L111 * https://github.com/advisories/GHSA-p8p7-x288-28g6

argoyle (Migrated from gitlab.com) closed this issue 2023-08-02 06:58:18 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/vue-router-5.x

renovate-group-stylelint

fix/remove-digest-pinning

remove-gitlab-ci

remove-aws-iam-auth

remove-kubeconfig

kubeconfig-secret

ci-migration

No results found.

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

javascript

security

Pull requests that address a security vulnerability

severity:critical

severity:high

severity:low

severity:moderate

No Label security severity:moderate

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#30