EIQ-2019-0037

ID	EIQ-2019-0037
CVE	-
Description	https-proxy-agent could enable main-in-the-middle attacks
Date	23 Oct 2019
Severity	2 - MEDIUM
CVSSv3 score	6.1
Status	2.7.0
Assessment	https-proxy-agent versions 2.2.2 and earlier can enable man-in-the-middle (MitM) attacks. The module implements Node.js http.Agent connectivity functionality through the HTTP `CONNECT` method and a proxy server. If the connect request targets a secure (HTTPS) endpoint, and if it returns a response with an HTTP status code other than 200/OK, https-proxy-agent does not upgrade to TLS. This exposes the request data, because it is transmitted over an unencrypted connection. An attacker with access to the proxy server, and with the ability to obtain a TCP data dump, could intercept the request data. The data may contain basic authentication details, or other authentication credential information. The attacker could retrieve this data, and use it to impersonate the requesting client.
Mitigation	Upgrade to http-proxy-agent versions 2.2.3, 3.0.0, or later.
Affected versions	2.6.0 and earlier.
Notes	For more information, see: Snyk report about the vulnerability Hackerone report about the vulnerability npm advisory about the vulnerability GitHub PR with the fix GitHub commit with the fix

In release notes 2.6.0

In release notes 2.7.0