Описание
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
An authorization bypass flaw was found in url-parse. This flaw allows a local unauthenticated attacker to add a backspace character (\b) while submitting a URL. This vulnerability can enable bypassing any hostname checks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-prometheus | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | url-parse | Under investigation | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Affected | ||
| Red Hat Virtualization 4 | url-parse | Not affected | ||
| Red Hat Migration Toolkit for Containers 1.7 | rhmtc/openshift-migration-ui-rhel8 | Fixed | RHSA-2022:6429 | 13.09.2022 |
Показывать по
10
Дополнительная информация
Статус:
Important
Дефект:
CWE-639
https://bugzilla.redhat.com/show_bug.cgi?id=2060020npm-url-parse: authorization bypass through user-controlled key
EPSS
Процентиль: 30%
0.00109
Низкий
9.8 Critical
CVSS3
Связанные уязвимости
CVSS3: 9.8
ubuntu
почти 4 года назад
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
CVSS3: 9.8
nvd
почти 4 года назад
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
CVSS3: 9.8
debian
почти 4 года назад
Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...
CVSS3: 6.5
github
почти 4 года назад
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.
EPSS
Процентиль: 30%
0.00109
Низкий
9.8 Critical
CVSS3