Cyber Resilience

CVE-2022-24719

Low

Published: 01 March 2022

Published
01 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 2.6 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0036 58.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24719 is a low-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Fluture-Node Project Fluture-Node. Its CVSS base score is 2.6 (Low).

Operationally, ranked in the top 41.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization…

more

or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing. The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin. A workaround has been identified by using a custom redirection strategy via the `followRedirectsWith` function. The custom strategy can be based on the new strategies available in fluture-node@4.0.2.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fluture-node project
fluture-node
4.0.0, 4.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-212 CWE-359

Explicit procedures to delete inaccurate or outdated PII directly mitigate improper removal of sensitive information before storage or transfer.

addresses: CWE-212 CWE-359

The explicit requirement to delete inaccurate/outdated PII implements proper removal of sensitive information before further storage or transfer.

addresses: CWE-212 CWE-359

The control implements proper removal of sensitive information before storage or transfer of datasets.

addresses: CWE-359

Automated marking identifies private personal information in outputs, tangibly reducing the ability to exploit weaknesses that result in its unauthorized exposure.

addresses: CWE-359

Privacy-specific attributes and their controlled association directly reduce exposure of private personal information through missing or incorrect labeling.

addresses: CWE-359

Preventing nonpublic personal information from public posting reduces unauthorized exposure of private personal data.

addresses: CWE-359

The control detects and protects against mining of private personal information, reducing unauthorized exposure of PII.

addresses: CWE-359

Privacy literacy training directly targets preventing exposure of personal information through user mishandling.

References