Описание
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
An authorization bypass flaw was found in url-parse. This flaw allows a local unauthenticated attacker to add an at symbol (@) while submitting a URL. This issue enables the bypass of validation or block-listing restrictions.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-grafana | Will not fix | ||
| OpenShift Service Mesh 2.1 | servicemesh-prometheus | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | url-parse | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Affected | ||
| Red Hat Virtualization 4 | url-parse | Not affected | ||
| Red Hat Migration Toolkit for Containers 1.7 | rhmtc/openshift-migration-ui-rhel8 | Fixed | RHSA-2022:6429 | 13.09.2022 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-639
https://bugzilla.redhat.com/show_bug.cgi?id=2057442npm-url-parse: Authorization Bypass Through User-Controlled Key
EPSS
Процентиль: 6%
0.00025
Низкий
6.2 Medium
CVSS3
Связанные уязвимости
CVSS3: 5.3
ubuntu
почти 4 года назад
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
CVSS3: 5.3
nvd
почти 4 года назад
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
CVSS3: 5.3
debian
почти 4 года назад
Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...
CVSS3: 6.5
github
почти 4 года назад
url-parse Incorrectly parses URLs that include an '@'
EPSS
Процентиль: 6%
0.00025
Низкий
6.2 Medium
CVSS3