CVE-2022-31151 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-31151 Interim 1 4 2022-12-13T00:41:16Z current 2022-07-21T23:35:22Z 2022-12-13T00:41:16Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-31151 Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 15 SP3 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs16 nodejs16-devel nodejs16-docs npm16 nodejs16 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs16-devel as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs16-docs as a component of SUSE Linux Enterprise Module for Web and Scripting 12 npm16 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs16 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 nodejs16-devel as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 nodejs16-docs as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 npm16 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 nodejs16 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs16-devel as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs16-docs as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 npm16 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default). CVE-2022-31151 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-devel SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-docs SUSE Linux Enterprise Module for Web and Scripting 12:npm16 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-devel SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-docs SUSE Linux Enterprise Module for Web and Scripting 15 SP3:npm16 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-devel SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-docs SUSE Linux Enterprise Module for Web and Scripting 15 SP4:npm16 low 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N