Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zaGpnLXZjN3ItcmNyd805Qw
Denial of Service vulnerability in @podium/layout and @podium/proxy
Impact
An attacker using the Trailer header as part of the request against proxy endpoints has the ability to take down the server.
All Podium layouts that include podlets with proxy endpoints are affected.
Patches
@podium/layout which is the main way developers/users are vulnerable to this exploit, has been patched in version 4.6.110. All earlier versions are vulnerable.
@podium/proxy which is the source of the vulnerability and is used by @podium/layout has been patched in version 4.2.74. All earlier versions are vulnerable.
Workarounds
It is not easily possible to work around this issue without upgrading. We recommend upgrading @podium/layout and/or @podium/proxy as soon as possible.
For more information
If you have any questions or comments about this advisory:
- Open an issue in podium-lib/issues
Credits
The vulnerability was reported by krynos from Ercoli Consulting via FINN.no's private bug bounty program
Permalink: https://github.com/advisories/GHSA-3hjg-vc7r-rcrwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zaGpnLXZjN3ItcmNyd805Qw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-3hjg-vc7r-rcrw, CVE-2022-24822
References:
- https://github.com/podium-lib/proxy/security/advisories/GHSA-3hjg-vc7r-rcrw
- https://nvd.nist.gov/vuln/detail/CVE-2022-24822
- https://github.com/podium-lib/layout/commit/fe43e655432b0a5f07b6475f67babcc2588fb039
- https://github.com/podium-lib/proxy/commit/9698a40df081217ce142d4de71f929baaa339cdf
- https://github.com/podium-lib/layout/releases/tag/v4.6.110
- https://github.com/podium-lib/proxy/releases/tag/v4.2.74
- https://github.com/advisories/GHSA-3hjg-vc7r-rcrw
Blast Radius: 12.3
Affected Packages
npm:@podium/proxy
Dependent packages: 4Dependent repositories: 43
Downloads: 27,917 last month
Affected Version Ranges: < 4.2.74
Fixed in: 4.2.74
All affected versions: 2.2.0, 2.4.3, 2.4.4, 2.5.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.2.15, 4.2.16, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2.24, 4.2.25, 4.2.26, 4.2.27, 4.2.28, 4.2.29, 4.2.30, 4.2.31, 4.2.32, 4.2.33, 4.2.34, 4.2.35, 4.2.36, 4.2.37, 4.2.38, 4.2.39, 4.2.40, 4.2.41, 4.2.42, 4.2.43, 4.2.44, 4.2.45, 4.2.46, 4.2.47, 4.2.48, 4.2.49, 4.2.50, 4.2.51, 4.2.52, 4.2.53, 4.2.54, 4.2.55, 4.2.56, 4.2.57, 4.2.58, 4.2.59, 4.2.60, 4.2.61, 4.2.62, 4.2.63, 4.2.64, 4.2.65, 4.2.66, 4.2.67, 4.2.68, 4.2.69, 4.2.70, 4.2.71, 4.2.72, 4.2.73
All unaffected versions: 4.2.74, 4.2.75, 4.2.76, 4.2.77, 4.2.78, 4.2.79, 4.2.80, 4.2.81, 4.2.82, 4.2.83, 4.2.84, 4.2.85, 4.2.86, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 5.0.19, 5.0.20, 5.0.21, 5.0.22, 5.0.23, 5.0.24, 5.0.25, 5.0.26, 5.0.27
npm:@podium/layout
Dependent packages: 5Dependent repositories: 25
Downloads: 20,649 last month
Affected Version Ranges: < 4.6.110
Fixed in: 4.6.110
All affected versions: 2.5.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13, 4.6.14, 4.6.15, 4.6.16, 4.6.17, 4.6.18, 4.6.19, 4.6.20, 4.6.21, 4.6.22, 4.6.23, 4.6.24, 4.6.25, 4.6.26, 4.6.27, 4.6.28, 4.6.29, 4.6.30, 4.6.31, 4.6.32, 4.6.33, 4.6.34, 4.6.35, 4.6.36, 4.6.37, 4.6.38, 4.6.39, 4.6.40, 4.6.41, 4.6.42, 4.6.43, 4.6.44, 4.6.45, 4.6.46, 4.6.47, 4.6.48, 4.6.49, 4.6.50, 4.6.51, 4.6.52, 4.6.53, 4.6.54, 4.6.55, 4.6.56, 4.6.57, 4.6.58, 4.6.59, 4.6.60, 4.6.61, 4.6.62, 4.6.63, 4.6.64, 4.6.65, 4.6.66, 4.6.67, 4.6.68, 4.6.69, 4.6.70, 4.6.71, 4.6.72, 4.6.73, 4.6.74, 4.6.75, 4.6.76, 4.6.77, 4.6.78, 4.6.79, 4.6.80, 4.6.81, 4.6.82, 4.6.83, 4.6.84, 4.6.85, 4.6.86, 4.6.87, 4.6.88, 4.6.89, 4.6.90, 4.6.91, 4.6.92, 4.6.93, 4.6.94, 4.6.95, 4.6.96, 4.6.97, 4.6.98, 4.6.99, 4.6.100, 4.6.101, 4.6.102, 4.6.103, 4.6.104, 4.6.105, 4.6.106, 4.6.107, 4.6.108, 4.6.109
All unaffected versions: 4.6.110, 4.6.111, 4.6.112, 4.6.113, 4.6.114, 4.6.115, 4.6.116, 4.6.117, 4.6.118, 4.6.119, 4.6.120, 4.6.121, 4.6.122, 4.6.123, 4.6.124, 4.6.125, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.14, 5.1.15, 5.1.16, 5.1.17, 5.1.18, 5.1.19, 5.1.20, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6