CVE-2021-27516

Опубликовано: 22 фев. 2021

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

A flaw was found in nodejs-urijs where URI.js (urijs) mishandles certain uses of the backslash such as http:/ and interprets the URI as a relative path. The highest threat from this vulnerability is to confidentiality.

Отчет

Red Hat Quay includes the urijs dependency in it's package.lock file but it's not used anywhere in the code. Red Hat Advanced Cluster Management for Kubernetes uses Quay as a service, but not code from Quay that exists in RHACM.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Advanced Cluster Management for Kubernetes 2	rhacm2/application-ui-rhel8	Not affected
Red Hat Advanced Cluster Management for Kubernetes 2	rhacm2/mcm-topology-rhel8	Not affected
Red Hat Quay 3	quay/quay-rhel8	Fixed	RHSA-2021:3917	19.10.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=1934470nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise

EPSS

Процентиль: 67%

0.00552

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2021-27516

CVSS3: 7.5

nvd

почти 5 лет назад

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.

CVE-2021-27516

CVSS3: 7.5

debian

почти 5 лет назад

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash ...

GHSA-p6j9-7xhc-rhwp

CVSS3: 7.5

github

почти 5 лет назад

URIjs Hostname spoofing via backslashes in URL

EPSS

Процентиль: 67%

0.00552

Низкий

7.5 High

CVSS3