{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-30261", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-26T12:52:00.934Z", "datePublished": "2024-04-04T15:09:11.369Z", "dateUpdated": "2025-02-13T17:47:48.137Z"}, "containers": {"cna": {"title": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"}, {"name": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"}, {"name": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"}, {"name": "https://hackerone.com/reports/2377760", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/2377760"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"}], "affected": [{"vendor": "nodejs", "product": "undici", "versions": [{"version": ">= 6.0.0, < 6.11.1", "status": "affected"}, {"version": "< 5.28.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-19T23:06:39.663Z"}, "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."}], "source": {"advisory": "GHSA-9qxr-qj54-h672", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:32:06.665Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"}, {"name": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"}, {"name": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"}, {"name": "https://hackerone.com/reports/2377760", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/2377760"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "nodejs", "product": "undici", "cpes": ["cpe:2.3:a:nodejs:undici:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.0.0", "status": "affected", "lessThan": "6.11.1", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "5.28.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T15:04:42.490317Z", "id": "CVE-2024-30261", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:06:10.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", "name": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", "name": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", "name": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://hackerone.com/reports/2377760", "name": "https://hackerone.com/reports/2377760", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:32:06.665Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-30261", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T15:04:42.490317Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nodejs:undici:*:*:*:*:*:*:*:*"], "vendor": "nodejs", "product": "undici", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.11.1", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "5.28.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:06:05.518Z"}}], "cna": {"title": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect", "source": {"advisory": "GHSA-9qxr-qj54-h672", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nodejs", "product": "undici", "versions": [{"status": "affected", "version": ">= 6.0.0, < 6.11.1"}, {"status": "affected", "version": "< 5.28.4"}]}], "references": [{"url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", "name": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", "name": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", "name": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/2377760", "name": "https://hackerone.com/reports/2377760", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"}], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T15:09:11.369Z"}}}, "cveMetadata": {"cveId": "CVE-2024-30261", "state": "PUBLISHED", "dateUpdated": "2024-09-04T15:06:10.584Z", "dateReserved": "2024-03-26T12:52:00.934Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-04T15:09:11.369Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "27A8308B-0EB3-454E-A010-12138A99119D", "versionEndExcluding": "5.28.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "89E57BC8-475F-4BE0-8BB4-285512F8D177", "versionEndExcluding": "6.11.1", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1."}, {"lang": "es", "value": "Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Un atacante puede alterar la opci\u00f3n `integridad` pasada a `fetch()`, permitiendo que `fetch()` acepte solicitudes como v\u00e1lidas incluso si han sido manipuladas. Esta vulnerabilidad fue parcheada en las versiones 5.28.4 y 6.11.1."}], "id": "CVE-2024-30261", "lastModified": "2024-12-18T19:21:11.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-04T15:15:39.460", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://hackerone.com/reports/2377760"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://hackerone.com/reports/2377760"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/dashboard-rhel8:3.16-27", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}], "bugzilla": {"description": "nodejs-undici: fetch() with integrity option is too lax when algorithm is specified but hash value is in incorrect", "id": "2273519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273519"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-284", "details": ["Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.", "A flaw was found in the nodejs-undici package. This issue may allow an attacker to alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered with."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-30261", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}], "public_date": "2024-04-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-30261\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-30261"], "threat_severity": "Low", "upstream_fix": "undici 5.28.4, undici 6.11.1"}