How severe is CVE-2022-31151?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2022-31151?

This is classified as CWE-601, which is a common weakness in software security.

CVE-2022-31151 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).

Related Vulnerabilities

CVE-2017-15419

MEDIUM

CVSS:6.5(Medium)

Insufficient policy enforcement in Resource Timing API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to infer browsing history by triggering a leaked cross-origin URL via a crafted ...

CWE-6012017

CVE-2018-0924

MEDIUM

CVSS:6.5(Medium)

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 20, Microsoft Exchange Server 2013 Cumulative Update 18, Microsoft Exchange Server 2013 Cumulative Update 19, Microsoft Exchange Server 2013...

CWE-6012018

CVE-2019-3778

MEDIUM

CVSS:6.5(Medium)

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector a...

CWE-6012019

CVE-2019-6741

MEDIUM

CVSS:6.5(Medium)

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to January 2019 Security Update (SMR-JAN-2019 - SVE-2018-13467). User intera...

CWE-6012019

CVE-2020-4598

MEDIUM

CVSS:6.5(Medium)

IBM Security Guardium Insights 2.0.1 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote at...

CWE-6012020

CVE-2021-3989

MEDIUM

CVSS:6.5(Medium)

showdoc is vulnerable to URL Redirection to Untrusted Site

CWE-6012021