{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-45857", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-09-04T15:15:16.506Z", "dateReserved": "2023-10-14T00:00:00", "datePublished": "2023-11-08T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-21T19:06:56.497896"}, "descriptions": [{"lang": "en", "value": "An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/axios/axios/issues/6006"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:29:32.674Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/axios/axios/issues/6006", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T15:13:57.418014Z", "id": "CVE-2023-45857", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:15:16.506Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/axios/axios/issues/6006", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:29:32.674Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-45857", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T15:13:57.418014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:15:06.406Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/axios/axios/issues/6006"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "descriptions": [{"lang": "en", "value": "An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-21T19:06:56.497896"}}}, "cveMetadata": {"cveId": "CVE-2023-45857", "state": "PUBLISHED", "dateUpdated": "2024-09-04T15:15:16.506Z", "dateReserved": "2023-10-14T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-11-08T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:axios:axios:1.5.1:*:*:*:*:node.js:*:*", "matchCriteriaId": "28179B3F-4DC0-416C-BC68-2678D3DF2313", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information."}, {"lang": "es", "value": "Un problema descubierto en Axios 1.5.1 revela inadvertidamente el XSRF-TOKEN confidencial almacenado en las cookies al incluirlo en el encabezado HTTP X-XSRF-TOKEN para cada solicitud realizada a cualquier host, lo que permite a los atacantes ver informaci\u00f3n sensible."}], "id": "CVE-2023-45857", "lastModified": "2024-11-21T08:27:30.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-08T21:15:08.550", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/axios/axios/issues/6006"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/axios/axios/issues/6006"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3920", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "axios", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:3989", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.3-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:3316", "cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package": "mta/mta-cli-rhel9:7.0.3-16", "product_name": "MTA-7.0-RHEL-9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3316", "cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package": "mta/mta-ui-rhel9:7.0.3-13", "product_name": "MTA-7.0-RHEL-9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.7.0-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.7.0-3", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.7.0-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.7.0-3", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.7.0-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.7.0-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.7.0-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.7.0-3", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.7.0-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.7.0-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.7.0-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2025:2876", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.7.0-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-03-17T00:00:00Z"}, {"advisory": "RHSA-2024:1640", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "automation-controller-0:4.5.5-2.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:1640", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "automation-controller-0:4.5.5-2.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:1925", "cpe": "cpe:/a:redhat:rhmt:1.8::el8", "package": "rhmtc/openshift-migration-ui-rhel8:v1.8.3-4", "product_name": "Red Hat Migration Toolkit for Containers 1.8", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:4269", "cpe": "cpe:/a:redhat:container_native_virtualization:4.12::el8", "package": "container-native-virtualization/kubevirt-console-plugin:v4.12.12-7", "product_name": "RHEL-8-CNV-4.12", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:5314", "cpe": "cpe:/a:redhat:container_native_virtualization:4.13::el9", "package": "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.13.10-387", "product_name": "RHEL-9-CNV-4.13", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:3473", "cpe": "cpe:/a:redhat:container_native_virtualization:4.14::el9", "package": "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.14.6-195", "product_name": "RHEL-9-CNV-4.14", "release_date": "2024-05-29T00:00:00Z"}, {"advisory": "RHSA-2024:3314", "cpe": "cpe:/a:redhat:container_native_virtualization:4.15::el9", "package": "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.15.2-383", "product_name": "RHEL-9-CNV-4.15", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:4455", "cpe": "cpe:/a:redhat:container_native_virtualization:4.16::el9", "package": "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.16.0-4001", "product_name": "RHEL-9-CNV-4.16", "release_date": "2024-07-10T00:00:00Z"}], "bugzilla": {"description": "axios: exposure of confidential data stored in cookies", "id": "2248979", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248979"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.", "A flaw was found in Axios that may expose a confidential session token. This issue can allow a remote attacker to bypass security measures and view sensitive data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-45857", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Fix deferred", "package_name": "axios", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Not affected", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Not affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/multicluster-engine-console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:network_observ_optr:1", "fix_state": "Not affected", "package_name": "network-observability/network-observability-console-plugin-rhel9", "product_name": "Network Observability Operator"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "axios", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Out of support scope", "package_name": "rhacm2/grc-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Out of support scope", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-hub", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-services-catalog", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3x-galaxy-ng", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python-galaxy-ng", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "axios", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Will not fix", "package_name": "axios", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "axios", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:discovery:1", "fix_state": "Not affected", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "axios", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "axios", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Will not fix", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "axios", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2023-11-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-45857\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-45857"], "statement": "For Red Hat Advanced Cluster Management for Kubernetes (RHACM), the affected container was deprecated in ACM 2.5 version which is not anymore supported. Following versions of this product are not impacted by this issue.", "threat_severity": "Moderate"}