You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /core/jazz_metrics/package.json
Path to vulnerable library: /core/jazz_metrics/node_modules/request/package.json,/core/jazz_delete-serverless-service/node_modules/request/package.json,/core/jazz_environments/node_modules/request/package.json,/core/jazz_is-slack-channel-available/node_modules/request/package.json,/core/jazz_asset-event-handler/node_modules/request/package.json,/core/jazz_splunk-kinesis-log-streamer/node_modules/request/package.json,/core/jazz_codeq/node_modules/request/package.json,/core/jazz_events/node_modules/request/package.json,/core/jazz_slack-channel/node_modules/request/package.json,/core/jazz_token-authorizer/node_modules/request/package.json,/core/jazz_deployments-event-handler/node_modules/request/package.json,/core/jazz_test-lambda/node_modules/request/package.json,/core/jazz_environment-event-handler/node_modules/request/package.json,/core/jazz_usermanagement/node_modules/request/package.json,/core/jazz_deployments/node_modules/request/package.json,/templates/react-website-template/app/node_modules/request/package.json,/core/jazz_cognito-admin-authorizer/node_modules/request/package.json,/core/jazz_t-vault/node_modules/request/package.json,/core/jazz_slack-event-handler/node_modules/request/package.json,/core/jazz_es-kinesis-log-streamer/node_modules/request/package.json,/core/jazz_cognito-authorizer/node_modules/request/package.json,/core/jazz_acl/node_modules/request/package.json,/core/jazz_logs/node_modules/request/package.json,/core/jazz_create-serverless-service/node_modules/request/package.json,/core/jazz_assets/node_modules/request/package.json,/core/jazz_scm-webhook/node_modules/request/package.json,/builds/jazz_azure-create-service/node_modules/request/package.json
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
mend-for-github-combot
changed the title
CVE-2023-28155 (Medium) detected in request-2.81.0.tgz, request-2.88.2.tgz
CVE-2023-28155 (Medium) detected in request-2.88.2.tgz
Mar 3, 2024
mend-for-github-combot
changed the title
CVE-2023-28155 (Medium) detected in request-2.88.2.tgz
CVE-2023-28155 (Medium) detected in request-2.88.2.tgz - autoclosed
May 4, 2024
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-combot
changed the title
CVE-2023-28155 (Medium) detected in request-2.88.2.tgz - autoclosed
CVE-2023-28155 (Medium) detected in request-2.88.2.tgz
May 4, 2024
ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #465
mend-for-github-combot
changed the title
CVE-2023-28155 (Medium) detected in request-2.88.2.tgz
CVE-2023-28155 (Medium) detected in request-2.88.2.tgz - autoclosed
May 19, 2024
CVE-2023-28155 - Medium Severity Vulnerability
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /core/jazz_metrics/package.json
Path to vulnerable library: /core/jazz_metrics/node_modules/request/package.json,/core/jazz_delete-serverless-service/node_modules/request/package.json,/core/jazz_environments/node_modules/request/package.json,/core/jazz_is-slack-channel-available/node_modules/request/package.json,/core/jazz_asset-event-handler/node_modules/request/package.json,/core/jazz_splunk-kinesis-log-streamer/node_modules/request/package.json,/core/jazz_codeq/node_modules/request/package.json,/core/jazz_events/node_modules/request/package.json,/core/jazz_slack-channel/node_modules/request/package.json,/core/jazz_token-authorizer/node_modules/request/package.json,/core/jazz_deployments-event-handler/node_modules/request/package.json,/core/jazz_test-lambda/node_modules/request/package.json,/core/jazz_environment-event-handler/node_modules/request/package.json,/core/jazz_usermanagement/node_modules/request/package.json,/core/jazz_deployments/node_modules/request/package.json,/templates/react-website-template/app/node_modules/request/package.json,/core/jazz_cognito-admin-authorizer/node_modules/request/package.json,/core/jazz_t-vault/node_modules/request/package.json,/core/jazz_slack-event-handler/node_modules/request/package.json,/core/jazz_es-kinesis-log-streamer/node_modules/request/package.json,/core/jazz_cognito-authorizer/node_modules/request/package.json,/core/jazz_acl/node_modules/request/package.json,/core/jazz_logs/node_modules/request/package.json,/core/jazz_create-serverless-service/node_modules/request/package.json,/core/jazz_assets/node_modules/request/package.json,/core/jazz_scm-webhook/node_modules/request/package.json,/builds/jazz_azure-create-service/node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: 712665b267203375ee4b15e1f8d1ebe08abc1547
Found in base branch: develop
Vulnerability Details
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
The text was updated successfully, but these errors were encountered: