CVE-2022-1650: Improper Removal of Sensitive Information Before Storage or Transfer in eventsource/eventsource

Published May 12, 2022
·
Updated

A flaw was found in the EventSource NPM Package. The description from the source states the following message: "Exposure of Sensitive Information to an Unauthorized Actor." This flaw allows an attacker to steal the user's credentials and then use the credentials to access the legitimate website.

Other sources

EventSource could allow a remote attacker to obtain sensitive information, caused by the exposure of resources to the wrong sphere. By redirecting the victim to a malicious site, an attacker could exploit this vulnerability to obtain Cookies and Authorisation headers, and use this information to launch further attacks against the affected system.

IBM

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4

Red Hat

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.

When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."

Affected Software

13 affected componentsFixes available
redhat/rh-dotnet31-dotnet<0:3.1.422-1.el7_9
0:3.1.422-1.el7_9
redhat/rh-dotnet60-dotnet<0:6.0.107-1.el7_9
0:6.0.107-1.el7_9
redhat/dotnet6.0<0:6.0.107-1.el8_6
0:6.0.107-1.el8_6
redhat/dotnet3.1<0:3.1.422-1.el8_6
0:3.1.422-1.el8_6
redhat/dotnet6.0<0:6.0.107-1.el9_0
0:6.0.107-1.el9_0
npm/eventsource>=2.0.0<2.0.2
2.0.2
npm/eventsource<1.1.1
1.1.1
redhat/eventsource<2.0.2
2.0.2
IBM Planning Analytics<=2.1
IBM Planning Analytics<=2.0
eventsource eventsource<1.1.1
eventsource eventsource>=2.0.0<2.0.2
Debian Debian Linux=10.0

Remediation

Patch Available

https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4

Patch Available

https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e

Event History

May 12, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·11:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
May 13, 2022
Advisory Published
12:01 AM
Data Sourced
via Red Hat·12:20 AM
DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2022-1650?

CVE-2022-1650 is categorized as a high severity vulnerability due to the risk of credential theft.

2

How do I fix CVE-2022-1650?

To remediate CVE-2022-1650, upgrade to the patched versions of the affected packages, specifically eventsource version 2.0.2 or later.

3

Which software is affected by CVE-2022-1650?

CVE-2022-1650 affects the eventsource NPM package and various Red Hat Dotnet packages including rh-dotnet31-dotnet and rh-dotnet60-dotnet.

4

What kind of attack does CVE-2022-1650 facilitate?

CVE-2022-1650 allows attackers to expose sensitive information, leading to potential credential theft for unauthorized access.

5

Is there a known exploitation method for CVE-2022-1650?

Yes, exploitation of CVE-2022-1650 can occur through weaknesses in the eventsource NPM package that allow attackers to steal user credentials.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203