DebianDEBIAN:DLA-3336-1:46072[SECURITY] [DLA 3336-1] node-url-parse security update
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
69.9%
Debian LTS Advisory DLA-3336-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
February 23, 2023 https://wiki.debian.org/LTS
Package : node-url-parse
Version : 1.2.0-2+deb10u2
CVE ID : CVE-2021-3664 CVE-2021-27515 CVE-2022-0512 CVE-2022-0639
CVE-2022-0686 CVE-2022-0691
Debian Bug : 985110 991577
Multiple vulnerabilities were found in node-types-url-parse, a Node.js
module used to parse URLs, which may result in authorization bypass or
redirection to untrusted sites.
CVE-2021-3664
url-parse mishandles certain uses of a single (back)slash such as
https:\ & https:/ and interprets the URI as a relative path.
Browsers accept a single backslash after the protocol, and treat it
as a normal slash, while url-parse sees it as a relative path.
Depending on library usage, this may result in allow/block list
bypasses, SSRF attacks, open redirects, or other undesired behavior.
CVE-2021-27515
Using backslash in the protocol is valid in the browser, while
url-parse thinks it's a relative path. An application that
validates a URL using url-parse might pass a malicious link.
CVE-2022-0512
Incorrect handling of username and password can lead to failure to
properly identify the hostname, which in turn could result in
authorization bypass.
CVE-2022-0639
Incorrect conversion of `@` characters in protocol in the `href`
field can lead to lead to failure to properly identify the hostname,
which in turn could result in authorization bypass.
CVE-2022-0686
Rohan Sharma reported that url-parse is unable to find the correct
hostname when no port number is provided in the URL, such as in
`http://example.com:`. This could in turn result in SSRF attacks,
open redirects or any other vulnerability which depends on the
`hostname` field of parsed URL.
CVE-2022-0691
url-parse is unable to find the correct hostname when the URL
contains a backspace `\b` character. This tricks the parser into
interpreting the URL as a relative path, bypassing all hostname
checks. It can also lead to false positive in `extractProtocol()`.
For Debian 10 buster, these problems have been fixed in version
1.2.0-2+deb10u2.
We recommend that you upgrade your node-url-parse packages.
For the detailed security status of node-url-parse please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-url-parse
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 10 | all | node-url-parse | < 1.2.0-2+deb10u2 | node-url-parse_1.2.0-2+deb10u2_all.deb |
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
69.9%