CVE-2022-1650

NameCVE-2022-1650
DescriptionImproper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3235-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-eventsource (PTS)bullseye1.0.7-1+deb11u1fixed
bookworm2.0.2+~1.1.10-1fixed
sid, trixie2.0.2+~1.1.10-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-eventsourcesourcestretch(unfixed)end-of-life
node-eventsourcesourcebuster0.2.1-1+deb10u1DLA-3235-1
node-eventsourcesourcebullseye1.0.7-1+deb11u1
node-eventsourcesource(unstable)2.0.2+~1.1.8-1

Notes

[stretch] - node-eventsource <end-of-life> (not covered by security support)
https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e/
https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4 (v2.0.2)
Search for package or bug name: Reporting problems