CVE-2023-28155: Server-Side Request Forgery (SSRF)
(updated )
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
References
- doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- github.com/advisories/GHSA-p8p7-x288-28g6
- github.com/cypress-io/request/blob/master/lib/redirect.js
- github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f
- github.com/cypress-io/request/pull/28
- github.com/cypress-io/request/releases/tag/v3.0.0
- github.com/github/advisory-database/pull/2500
- github.com/request/request/blob/master/lib/redirect.js
- github.com/request/request/issues/3442
- github.com/request/request/pull/3444
- nvd.nist.gov/vuln/detail/CVE-2023-28155
- security.netapp.com/advisory/ntap-20230413-0007/
Detect and mitigate CVE-2023-28155 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →