search

overture-stack / enrolment

:white_check_mark: Enrolment system for projects and users targeted towards cloud infrastructure operation.
GNU Affero General Public License v3.0
5 stars 1 forks source link

Vulnerability Updates - March 1 #198

Closed justincorrigible closed 3 years ago

justincorrigible commented 3 years ago

Upgrade urijs to version 1.19.6 or later.

GHSA-p6j9-7xhc-rhwp moderate severity Vulnerable versions: < 1.19.6 Patched version: 1.19.6 Impact

If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash () character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, the decision may be incorrect.

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: https:/\expected-example.com/path Escaped string: https:/\expected-example.com/path (JavaScript strings must escape backslash)

Affected versions incorrectly return no hostname. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Patches

Version 1.19.6 is patched against all known payload variants. References

https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for this particular bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass) https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass) PR #233 (initial fix for backslash handling) For more information

If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js Reporter credit

Yaniv Nizry from the CxSCA AppSec team at Checkmarx

justincorrigible commented 3 years ago

Merged to main