How severe is CVE-2023-45143?

This vulnerability has a severity rating of LOW with a CVSS score of 3.5 out of 10.

What type of vulnerability is CVE-2023-45143?

This is classified as CWE-200, which is a common weakness in software security.

CVE-2023-45143 - LOW Severity | CVSS 3.5

Vulnerability Description

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Related Vulnerabilities

CVE-2015-4962

LOW

CVSS:3.5(Low)

Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) 3.x and 4.x before 4.0.7 IF9, 5.x before 5.0.2 IF9, and 6.x before 6.0.1; Rational Quality Manager (RQM) 3....

CWE-2002015

CVE-2015-7548

LOW

CVSS:3.5(Low)

OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read a...

CWE-2002015

CVE-2015-8509

LOW

CVSS:3.5(Low)

Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain ...

CWE-2002015

CVE-2016-4027

LOW

CVSS:3.5(Low)

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality...

CWE-2002016

CVE-2016-6539

LOW

CVSS:3.5(Low)

The Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth...

CWE-2002016

CVE-2017-1353

LOW

CVSS:3.5(Low)

IBM Atlas eDiscovery Process Management 6.0.3 could allow an authenticated attacker to obtain sensitive information when an unsuspecting user clicks on unsafe third-party links. IBM X-Force ID: 126680...

CWE-2002017