Description
In versions of simple-get prior to 4.0.1, 3.1.1, and 2.8.2, when fetching a remote url with a cookie location response, headers will be followed, potentially resulting in an exposure of the session cookie to a third party.
Recommendation
Update the simple-get package to the latest compatible version. Followings are version details:
Affected version(s): **< 2.8.2 >= 3.0.0, < 3.1.1 = 4.0.0** Patched version(s): **2.8.2 3.1.1 4.0.1**
References
Related Issues
- Exposure of Sensitive Information in eventsource - CVE-2022-1650
- Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - CVE-2022-0536
- Exposure of sensitive information in follow-redirects - CVE-2022-0155
- Exposure of Sensitive Information to an Unauthorized Actor in AEgir - CVE-2020-11059
- Tags:
- npm
- simple-get
Anything's wrong? Let us know Last updated on February 03, 2023