Skip to main content

Nestjs Proxy CVE-2022-31070

HIGH
Information Exposure (CWE-200)
2022-06-15 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 15, 2022 - 19:15 nvd
HIGH 7.5

DescriptionNVD

NestJS Proxy is a NestJS module to decorate and proxy calls. Prior to version 0.7.0, the nestjs-proxy library did not have a way to block sensitive cookies (e.g. session cookies) from being forwarded to backend services configured by the application developer. This could have led to sensitive cookies being inadvertently exposed to such services that should not see them. The patched version now blocks cookies from being forwarded by default. However developers can configure an allow-list of cookie names by using the allowedCookies config setting. This issue has been fixed in version 0.7.0 of @finastra/nestjs-proxy. Users of @ffdc/nestjs-proxy are advised that this package has been deprecated and is no longer being maintained or receiving updates. Such users should update their package.json file to use @finastra/nestjs-proxy instead.

AnalysisAI

NestJS Proxy is a NestJS module to decorate and proxy calls. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. NestJS Proxy is a NestJS module to decorate and proxy calls. Prior to version 0.7.0, the nestjs-proxy library did not have a way to block sensitive cookies (e.g. session cookies) from being forwarded to backend services configured by the application developer. This could have led to sensitive cookies being inadvertently exposed to such services that should not see them. The patched version now blocks cookies from being forwarded by default. However developers can configure an allow-list of cookie names by using the allowedCookies config setting. This issue has been fixed in version 0.7.0 of @finastra/nestjs-proxy. Users of @ffdc/nestjs-proxy are advised that this package has been deprecated and is no longer being maintained or receiving updates. Such users should update their package.json file to use @finastra/nestjs-proxy instead. Affected products include: Finastra Nestjs-Proxy, Nestjs-Proxy Project Nestjs-Proxy. Version information: version 0.7.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

Share

CVE-2022-31070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy