CVE-2022-0235

Aliases:GHSA-r683-j2x4-v87g

Advisory lineage Upstream: 0 Downstream: 13

Downstream

DEBIAN-CVE-2022-0235 DLA-3222-1 RHSA-2023:0050 RHSA-2023:0612 RHSA-2023:1742 SUSE-SU-2022:1459-1

Modified

Published: 16 Jan 2022, 00:00

Last modified:02 Aug 2024, 23:18

Vulnerability Summary

Overall Risk (default)

medium

45/100

CVSS Score

8.8 HIGH

v3.0 (cve.org)

EPSS Score

0.29% LOW

0% probability -0.36%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

16 Jan 2022, 00:00

Published

Vulnerability first disclosed

02 Aug 2024, 23:18

Last Modified

Vulnerability information updated

Description

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

CVSS Metrics

v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
v3.0•HIGH•Score: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 5.8AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 0.29%• Percentile: 53%

Techniques & Countermeasures

CWE-601•URL Redirection to Untrusted Site ('Open Redirect')
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

debian•debian_linux
10.0
node-fetch_project•node-fetch
< 2.6.7 | ≥ 3.0.0, < 3.1.1
node-fetch•node-fetch/node-fetch
≥ unspecified, < 3.1.1
Npm•node-fetch
≥ 3.0.0, < 3.1.1 | < 2.6.7
siemens•sinec_ins
< 1.0 | 1.0 | 1.0:sp1