CVE-2022-32210 Vulnerability Details

  /     /     /  

CVE-2022-32210 Metadata Quick Info

CVE Published: 14/07/2022 | CVE Updated: 03/08/2024 | CVE Year: 2022
Source: hackerone | Vendor: n/a | Product: https://github.com/nodejs/undici
Status : PUBLISHED

---

CVE-2022-32210 Description

`Undici.ProxyAgent` never verifies the remote server\'s certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy\'s URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-295
CWE Name: Improper Certificate Validation (CWE-295)
Source: n/a

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).