Debian 10 Buster DLA-3336-1 Critical: Node-Url-Parse Authorization Bypass
debian lts
February 23, 2023
Multiple vulnerabilities were found in node-types-url-parse, a Node.js module used to parse URLs, which may result in authorization bypass or redirection to untrusted sites.
...
Summary
Multiple vulnerabilities were found in node-types-url-parse, a Node.js
module used to parse URLs, which may result in authorization bypass or
redirection to untrusted sites.
CVE-2021-3664
url-parse mishandles certain uses of a single (back)slash such as
https:\ & https:/ and interprets the URI as a relative path.
Browsers accept a single backslash after the protocol, and treat it
as a normal slash, while url-parse sees it as a relative path.
Depending on library usage, this may result in allow/block list
bypasses, SSRF attacks, open redirects, or other undesired behavior.
CVE-2021-27515
Using backslash in the protocol is valid in the browser, while
url-parse thinks it's a relative path. An application that
validates a URL using url-parse might pass a malicious link.
CVE-2022-0512
Incorrect handling of username and password can lead to failure to
properly identify the hostname, which in turn could result in
authorization bypass.
CVE-2022-0639
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: node-url-parse
Version: 1.2.0-2+deb10u2
CVE ID: CVE-2021-3664 CVE-2021-27515 CVE-2022-0512 CVE-2022-0639
Debian Bug: 985110 991577
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!