Описание
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
An authorization bypass flaw was found in url-parse. While submitting a URL, a local unauthenticated attacker can add a trailing colon (:), but omit the port number. This issue enables an open redirect that allows the exposure of sensitive information or spamming of infrastructure outside the vulnerable server.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Affected | ||
| OpenShift Service Mesh 2.1 | openshift-service-mesh/kiali-rhel8 | Will not fix | ||
| OpenShift Service Mesh 2.1 | servicemesh-grafana | Will not fix | ||
| OpenShift Service Mesh 2.1 | servicemesh-prometheus | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | url-parse | Under investigation | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Affected | ||
| Red Hat Virtualization 4 | url-parse | Not affected | ||
| Red Hat Migration Toolkit for Containers 1.7 | rhmtc/openshift-migration-ui-rhel8 | Fixed | RHSA-2022:6429 | 13.09.2022 |
Показывать по
10
Дополнительная информация
Статус:
Important
Дефект:
CWE-639
https://bugzilla.redhat.com/show_bug.cgi?id=2060018npm-url-parse: Authorization bypass through user-controlled key
9.1 Critical
CVSS3
Связанные уязвимости
CVSS3: 9.1
ubuntu
почти 4 года назад
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
CVSS3: 9.1
nvd
почти 4 года назад
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
CVSS3: 9.1
debian
почти 4 года назад
Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...
CVSS3: 9.1
github
почти 4 года назад
Authorization Bypass Through User-Controlled Key in url-parse
9.1 Critical
CVSS3