1201531 – (CVE-2022-32210) VUL-0: CVE-2022-32210: nodejs: Undici.ProxyAgent never verifies the remote server's certificate

Bug 1201531 (CVE-2022-32210) - VUL-0: CVE-2022-32210: nodejs: Undici.ProxyAgent never verifies the remote server's certificate

Summary: VUL-0: CVE-2022-32210: nodejs: Undici.ProxyAgent never verifies the remote se...

Status:	RESOLVED FIXED

Alias:	CVE-2022-32210

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/337288/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-07-15 07:47 UTC by Carlos López
Modified:	2022-07-15 07:51 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-07-15 07:47:59 UTC

CVE-2022-32210

`Undici.ProxyAgent` never verifies the remote server's certificate, and always
exposes all request & response data to the proxy. This unexpectedly means that
proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also
means that nominally HTTPS requests are actually sent via plain-text HTTP
between Undici and the proxy server.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32210
https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33
https://hackerone.com/reports/1583680

Comment 1 Carlos López 2022-07-15 07:51:22 UTC

Undici was added in v18, so we are not affected:
https://github.com/nodejs/node/commit/6ec225392675c92b102d3caad02ee3a157c9d1b7

Closing.