CVE-2023-26159

{"id": "CVE-2023-26159", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2024-01-02T05:15:08.630", "references": [{"url": "https://github.com/follow-redirects/follow-redirects/issues/235", "tags": ["Exploit", "Issue Tracking"], "source": "report@snyk.io"}, {"url": "https://github.com/follow-redirects/follow-redirects/pull/236", "tags": ["Issue Tracking", "Patch"], "source": "report@snyk.io"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/", "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-601"}]}, {"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches."}, {"lang": "es", "value": "Las versiones del paquete follow-redirects anteriores a la 1.15.4 son vulnerables a una validaci\u00f3n de entrada incorrecta debido al manejo inadecuado de las URL por parte de la funci\u00f3n url.parse(). Cuando la nueva URL() arroja un error, se puede manipular para malinterpretar el nombre de host. Un atacante podr\u00eda aprovechar esta debilidad para redirigir el tr\u00e1fico a un sitio malicioso, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n, ataques de phishing u otras violaciones de seguridad."}], "lastModified": "2024-01-23T03:15:11.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:follow-redirects:follow_redirects:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5E9B14E8-F184-4F4C-8275-8FE1D093D258", "versionEndExcluding": "1.15.4"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}