EIQ-2019-0037#

ID

EIQ-2019-0037

CVE

-

Description

https-proxy-agent could enable main-in-the-middle attacks

Date

23 Oct 2019

Severity

2 - MEDIUM

CVSSv3 score

6.1

Status

✅ 2.7.0

Assessment

https-proxy-agent versions 2.2.2 and earlier can enable man-in-the-middle (MitM) attacks.

The module implements Node.js http.Agent connectivity functionality through the HTTP CONNECT method and a proxy server.

If the connect request targets a secure (HTTPS) endpoint, and if it returns a response with an HTTP status code other than 200/OK, https-proxy-agent does not upgrade to TLS.

This exposes the request data, because it is transmitted over an unencrypted connection.

An attacker with access to the proxy server, and with the ability to obtain a TCP data dump, could intercept the request data.

The data may contain basic authentication details, or other authentication credential information.

The attacker could retrieve this data, and use it to impersonate the requesting client.

Mitigation

Upgrade to http-proxy-agent versions 2.2.3, 3.0.0, or later.

Affected versions

2.6.0 and earlier.

Notes

For more information, see: