{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26159", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-20T10:28:48.931Z", "datePublished": "2024-01-02T05:00:00.659Z", "dateUpdated": "2025-02-13T16:44:52.151Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P"}}], "credits": [{"value": "Kim Donggyu", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-01-23T03:06:22.806Z"}, "descriptions": [{"value": "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137"}, {"url": "https://github.com/follow-redirects/follow-redirects/issues/235"}, {"url": "https://github.com/follow-redirects/follow-redirects/pull/236"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/"}], "affected": [{"product": "follow-redirects", "versions": [{"version": "0", "lessThan": "1.15.4", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.643Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137", "tags": ["x_transferred"]}, {"url": "https://github.com/follow-redirects/follow-redirects/issues/235", "tags": ["x_transferred"]}, {"url": "https://github.com/follow-redirects/follow-redirects/pull/236", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:follow-redirects:follow_redirects:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5E9B14E8-F184-4F4C-8275-8FE1D093D258", "versionEndExcluding": "1.15.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches."}, {"lang": "es", "value": "Las versiones del paquete follow-redirects anteriores a la 1.15.4 son vulnerables a una validaci\u00f3n de entrada incorrecta debido al manejo inadecuado de las URL por parte de la funci\u00f3n url.parse(). Cuando la nueva URL() arroja un error, se puede manipular para malinterpretar el nombre de host. Un atacante podr\u00eda aprovechar esta debilidad para redirigir el tr\u00e1fico a un sitio malicioso, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n, ataques de phishing u otras violaciones de seguridad."}], "id": "CVE-2023-26159", "lastModified": "2024-11-21T07:50:54.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-02T05:15:08.630", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/follow-redirects/follow-redirects/issues/235"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/follow-redirects/follow-redirects/pull/236"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/follow-redirects/follow-redirects/issues/235"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/follow-redirects/follow-redirects/pull/236"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2024:0928", "cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2.5::el9", "package": "migration-toolkit-virtualization/mtv-console-plugin-rhel9:2.5.5-3", "product_name": "Migration Toolkit for Virtualization 2.5", "release_date": "2024-02-20T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el8", "package": "mta/mta-rhel8-operator:6.2.2-3", "product_name": "MTA-6.2-RHEL-8", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-hub-rhel9:6.2.2-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-operator-bundle:6.2.2-5", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-pathfinder-rhel9:6.2.2-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-ui-rhel9:6.2.2-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.2-3", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:3989", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-ui-rhel9:6.2.3-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:3316", "cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package": "mta/mta-cli-rhel9:7.0.3-16", "product_name": "MTA-7.0-RHEL-9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3316", "cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package": "mta/mta-ui-rhel9:7.0.3-13", "product_name": "MTA-7.0-RHEL-9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:0720", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "follow-redirects", "product_name": "MTR 1.2.4", "release_date": "2024-02-07T00:00:00Z"}, {"advisory": "RHBA-2024:3555", "cpe": "cpe:/a:redhat:multicluster_engine:2.4::el8", "package": "multicluster-engine/console-mce-rhel8:v2.4.5-25", "product_name": "multicluster engine for Kubernetes 2.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHBA-2024:3555", "cpe": "cpe:/a:redhat:multicluster_engine:2.4::el8", "package": "multicluster-engine/multicluster-engine-console-mce-rhel8:v2.4.5-25", "product_name": "multicluster engine for Kubernetes 2.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:0853", "cpe": "cpe:/a:redhat:network_observ_optr:1.5.0::el9", "package": "network-observability/network-observability-console-plugin-rhel9:v1.5.0-89", "product_name": "NETWORK-OBSERVABILITY-1.5.0-RHEL-9", "release_date": "2024-02-21T00:00:00Z"}, {"advisory": "RHBA-2024:3593", "cpe": "cpe:/a:redhat:acm:2.9::el8", "package": "rhacm2/console-rhel8:v2.9.4-22", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8", "release_date": "2024-06-04T00:00:00Z"}, {"advisory": "RHSA-2023:7198", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "openshift4/ose-monitoring-plugin-rhel8:v4.15.0-202402082307.p0.gc3d2272.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-agent-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-all-in-one-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-collector-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-es-index-cleaner-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-es-rollover-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-ingester-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-operator-bundle:1.53.0-15", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-query-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-rhel8-operator:1.53.0-3", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/opentelemetry-collector-rhel8:0.93.0-3", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/opentelemetry-operator-bundle:0.93.0-8", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/opentelemetry-rhel8-operator:0.93.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/opentelemetry-target-allocator-rhel8:0.93.0-3", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-gateway-opa-rhel8:1.0.0-1", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-gateway-rhel8:1.0.0-1", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-operator-bundle:0.8.0-8", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-query-rhel8:0.8.0-3", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-rhel8:2.3.1-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-rhel8-operator:0.8.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/grafana-rhel8:2.5.1-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.5.1-8", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-must-gather-rhel8:2.5.1-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-rhel8-operator:2.5.1-7", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-ossmc-rhel8:1.73.7-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-rhel8:1.73.7-5", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-rhel8-operator:1.73.7-4", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/pilot-rhel8:2.5.1-8", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.5.1-8", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.5.1-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:3314", "cpe": "cpe:/a:redhat:container_native_virtualization:4.15::el9", "package": "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.15.2-383", "product_name": "RHEL-9-CNV-4.15", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-console-rhel9:v4.15.0-57", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-multicluster-console-rhel9:v4.15.0-54", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:0271", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/logging-view-plugin-rhel9:v5.8.2-3", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-01-17T00:00:00Z"}, {"advisory": "RHSA-2025:1609", "cpe": "cpe:/a:redhat:cluster_observability_operator:1.0::el8", "package": "registry.redhat.io/cluster-observability-operator/cluster-observability-rhel8-operator:sha256:14ec62625ed452a305b532556f8c9e5edfec36603221b55e364b5ff3a336577f", "product_name": "Cluster Observability Operator 1.0.0", "release_date": "2025-02-17T00:00:00Z"}], "bugzilla": {"description": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()", "id": "2256413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256413"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.", "An Improper Input Validation flaw was found in follow-redirects due to the improper handling of URLs by the url.parse() function. When a new URL() throws an error, it can be manipulated to misinterpret the hostname. This issue could allow an attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-26159", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Affected", "package_name": "follow-redirects", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-ui-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Not affected", "package_name": "workload-availability/node-remediation-console-rhel8", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-hub", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3x-galaxy-ng", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python-galaxy-ng", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "follow-redirects", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:discovery:1.0::el8", "fix_state": "Will not fix", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "console-dashboards-plugin-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/nmstate-console-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/dashboard-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Will not fix", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/console-plugin-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/gitops-operator-bundle", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "nodejs-redhat-cloud-services-frontend-components", "product_name": "Red Hat Satellite 6"}], "public_date": "2024-01-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-26159\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-26159"], "statement": "follow-redirects is a transitive dependency of Grafana, and does not affect Red Hat Enterprise Linux 8.", "threat_severity": "Moderate"}