CVE-2022-0536

NameCVE-2022-0536
DescriptionImproper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-follow-redirects (PTS)buster1.2.4-1vulnerable
bullseye1.13.1-1+deb11u1fixed
bookworm1.15.2+~1.14.1-1fixed
sid, trixie1.15.6+~1.14.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-follow-redirectssourcebullseye1.13.1-1+deb11u1
node-follow-redirectssource(unstable)1.14.8+~1.14.0-1

Notes

[buster] - node-follow-redirects <ignored> (Minor issue, too intrusive to backport)
https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db/
https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445 (v1.14.8)
Search for package or bug name: Reporting problems