Vulnerability Details CVE-2023-28155
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.8%
CVSS Severity
CVSS v3 Score 6.1
References
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- https://github.com/request/request/issues/3442
- https://github.com/request/request/pull/3444
- https://security.netapp.com/advisory/ntap-20230413-0007/
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- https://github.com/request/request/issues/3442
- https://github.com/request/request/pull/3444
- https://security.netapp.com/advisory/ntap-20230413-0007/
Products affected by CVE-2023-28155
-
cpe:2.3:a:request_project:request:1.2.0
-
cpe:2.3:a:request_project:request:2.17.0
-
cpe:2.3:a:request_project:request:2.18.0
-
cpe:2.3:a:request_project:request:2.18.1
-
cpe:2.3:a:request_project:request:2.19.0
-
cpe:2.3:a:request_project:request:2.19.1
-
cpe:2.3:a:request_project:request:2.20.0
-
cpe:2.3:a:request_project:request:2.20.1
-
cpe:2.3:a:request_project:request:2.21.0
-
cpe:2.3:a:request_project:request:2.21.1
-
cpe:2.3:a:request_project:request:2.22.0
-
cpe:2.3:a:request_project:request:2.22.1
-
cpe:2.3:a:request_project:request:2.23.0
-
cpe:2.3:a:request_project:request:2.23.1
-
cpe:2.3:a:request_project:request:2.24.0
-
cpe:2.3:a:request_project:request:2.24.1
-
cpe:2.3:a:request_project:request:2.25.0
-
cpe:2.3:a:request_project:request:2.25.1
-
cpe:2.3:a:request_project:request:2.26.0
-
cpe:2.3:a:request_project:request:2.26.1
-
cpe:2.3:a:request_project:request:2.27.0
-
cpe:2.3:a:request_project:request:2.27.1
-
cpe:2.3:a:request_project:request:2.28.0
-
cpe:2.3:a:request_project:request:2.28.1
-
cpe:2.3:a:request_project:request:2.29.0
-
cpe:2.3:a:request_project:request:2.29.1
-
cpe:2.3:a:request_project:request:2.30.0
-
cpe:2.3:a:request_project:request:2.30.1
-
cpe:2.3:a:request_project:request:2.31.0
-
cpe:2.3:a:request_project:request:2.31.1
-
cpe:2.3:a:request_project:request:2.32.0
-
cpe:2.3:a:request_project:request:2.32.1
-
cpe:2.3:a:request_project:request:2.33.0
-
cpe:2.3:a:request_project:request:2.33.1
-
cpe:2.3:a:request_project:request:2.34.0
-
cpe:2.3:a:request_project:request:2.34.1
-
cpe:2.3:a:request_project:request:2.35.0
-
cpe:2.3:a:request_project:request:2.35.1
-
cpe:2.3:a:request_project:request:2.36.0
-
cpe:2.3:a:request_project:request:2.36.1
-
cpe:2.3:a:request_project:request:2.37.0
-
cpe:2.3:a:request_project:request:2.37.1
-
cpe:2.3:a:request_project:request:2.38.0
-
cpe:2.3:a:request_project:request:2.38.1
-
cpe:2.3:a:request_project:request:2.39.0
-
cpe:2.3:a:request_project:request:2.39.1
-
cpe:2.3:a:request_project:request:2.40.0
-
cpe:2.3:a:request_project:request:2.40.1
-
cpe:2.3:a:request_project:request:2.41.0
-
cpe:2.3:a:request_project:request:2.41.1
-
cpe:2.3:a:request_project:request:2.42.0
-
cpe:2.3:a:request_project:request:2.42.1
-
cpe:2.3:a:request_project:request:2.43.0
-
cpe:2.3:a:request_project:request:2.43.1
-
cpe:2.3:a:request_project:request:2.44.0
-
cpe:2.3:a:request_project:request:2.44.1
-
cpe:2.3:a:request_project:request:2.45.0
-
cpe:2.3:a:request_project:request:2.45.1
-
cpe:2.3:a:request_project:request:2.46.0
-
cpe:2.3:a:request_project:request:2.46.1
-
cpe:2.3:a:request_project:request:2.47.0
-
cpe:2.3:a:request_project:request:2.47.1
-
cpe:2.3:a:request_project:request:2.48.0
-
cpe:2.3:a:request_project:request:2.48.1
-
cpe:2.3:a:request_project:request:2.49.0
-
cpe:2.3:a:request_project:request:2.49.1
-
cpe:2.3:a:request_project:request:2.50.0
-
cpe:2.3:a:request_project:request:2.50.1
-
cpe:2.3:a:request_project:request:2.51.0
-
cpe:2.3:a:request_project:request:2.51.1
-
cpe:2.3:a:request_project:request:2.52.0
-
cpe:2.3:a:request_project:request:2.52.1
-
cpe:2.3:a:request_project:request:2.53.0
-
cpe:2.3:a:request_project:request:2.53.1
-
cpe:2.3:a:request_project:request:2.54.0
-
cpe:2.3:a:request_project:request:2.54.1
-
cpe:2.3:a:request_project:request:2.55.0
-
cpe:2.3:a:request_project:request:2.55.1
-
cpe:2.3:a:request_project:request:2.56.0
-
cpe:2.3:a:request_project:request:2.56.1
-
cpe:2.3:a:request_project:request:2.57.0
-
cpe:2.3:a:request_project:request:2.57.1
-
cpe:2.3:a:request_project:request:2.58.0
-
cpe:2.3:a:request_project:request:2.58.1
-
cpe:2.3:a:request_project:request:2.59.0
-
cpe:2.3:a:request_project:request:2.59.1
-
cpe:2.3:a:request_project:request:2.60.0
-
cpe:2.3:a:request_project:request:2.60.1
-
cpe:2.3:a:request_project:request:2.61.0
-
cpe:2.3:a:request_project:request:2.61.1
-
cpe:2.3:a:request_project:request:2.62.0
-
cpe:2.3:a:request_project:request:2.62.1
-
cpe:2.3:a:request_project:request:2.63.0
-
cpe:2.3:a:request_project:request:2.63.1
-
cpe:2.3:a:request_project:request:2.64.0
-
cpe:2.3:a:request_project:request:2.64.1
-
cpe:2.3:a:request_project:request:2.65.0
-
cpe:2.3:a:request_project:request:2.65.1
-
cpe:2.3:a:request_project:request:2.66.0
-
cpe:2.3:a:request_project:request:2.66.1
-
cpe:2.3:a:request_project:request:2.67.0
-
cpe:2.3:a:request_project:request:2.67.1
-
cpe:2.3:a:request_project:request:2.68.0
-
cpe:2.3:a:request_project:request:2.68.1
-
cpe:2.3:a:request_project:request:2.69.0
-
cpe:2.3:a:request_project:request:2.69.1
-
cpe:2.3:a:request_project:request:2.70.0
-
cpe:2.3:a:request_project:request:2.70.1
-
cpe:2.3:a:request_project:request:2.71.0
-
cpe:2.3:a:request_project:request:2.71.1
-
cpe:2.3:a:request_project:request:2.72.0
-
cpe:2.3:a:request_project:request:2.72.1
-
cpe:2.3:a:request_project:request:2.73.0
-
cpe:2.3:a:request_project:request:2.73.1
-
cpe:2.3:a:request_project:request:2.74.0
-
cpe:2.3:a:request_project:request:2.74.1
-
cpe:2.3:a:request_project:request:2.75.0
-
cpe:2.3:a:request_project:request:2.75.1
-
cpe:2.3:a:request_project:request:2.76.0
-
cpe:2.3:a:request_project:request:2.76.1
-
cpe:2.3:a:request_project:request:2.77.0
-
cpe:2.3:a:request_project:request:2.77.1
-
cpe:2.3:a:request_project:request:2.78.0
-
cpe:2.3:a:request_project:request:2.78.1
-
cpe:2.3:a:request_project:request:2.79.0
-
cpe:2.3:a:request_project:request:2.79.1
-
cpe:2.3:a:request_project:request:2.80.0
-
cpe:2.3:a:request_project:request:2.80.1
-
cpe:2.3:a:request_project:request:2.81.0
-
cpe:2.3:a:request_project:request:2.81.1
-
cpe:2.3:a:request_project:request:2.82.0
-
cpe:2.3:a:request_project:request:2.82.1
-
cpe:2.3:a:request_project:request:2.83.0
-
cpe:2.3:a:request_project:request:2.83.1
-
cpe:2.3:a:request_project:request:2.84.0
-
cpe:2.3:a:request_project:request:2.84.1
-
cpe:2.3:a:request_project:request:2.85.0
-
cpe:2.3:a:request_project:request:2.85.1
-
cpe:2.3:a:request_project:request:2.86.0
-
cpe:2.3:a:request_project:request:2.86.1
-
cpe:2.3:a:request_project:request:2.87.0
-
cpe:2.3:a:request_project:request:2.87.1
-
cpe:2.3:a:request_project:request:2.88.0
-
cpe:2.3:a:request_project:request:2.88.1