Improper Certificate Validation in undici - CVE-2022-32210

 

Improper Certificate Validation in undici - CVE-2022-32210

Published: July 6, 2022


Vulnerability identifier: #VU64942
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-32210
CWE-ID: CWE-295
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: Node.js
Affected software:
undici

Detailed vulnerability description

The vulnerability allows a remote user on the local network to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote authenticated user on the local network can send a specially crafted request to obtain sensitive information of all the requests and responses data to the proxy, and use this information to launch further attacks against the affected system.


How to mitigate CVE-2022-32210

Install updates from vendor's website.

Sources