------------------------------------------------------------------------- Debian LTS Advisory DLA-3336-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin February 23, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : node-url-parse Version : 1.2.0-2+deb10u2 CVE ID : CVE-2021-3664 CVE-2021-27515 CVE-2022-0512 CVE-2022-0639 CVE-2022-0686 CVE-2022-0691 Debian Bug : 985110 991577 Multiple vulnerabilities were found in node-types-url-parse, a Node.js module used to parse URLs, which may result in authorization bypass or redirection to untrusted sites. CVE-2021-3664 url-parse mishandles certain uses of a single (back)slash such as https:\ & https:/ and interprets the URI as a relative path. Browsers accept a single backslash after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. Depending on library usage, this may result in allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. CVE-2021-27515 Using backslash in the protocol is valid in the browser, while url-parse thinks it's a relative path. An application that validates a URL using url-parse might pass a malicious link. CVE-2022-0512 Incorrect handling of username and password can lead to failure to properly identify the hostname, which in turn could result in authorization bypass. CVE-2022-0639 Incorrect conversion of `@` characters in protocol in the `href` field can lead to lead to failure to properly identify the hostname, which in turn could result in authorization bypass. CVE-2022-0686 Rohan Sharma reported that url-parse is unable to find the correct hostname when no port number is provided in the URL, such as in `http://example.com:`. This could in turn result in SSRF attacks, open redirects or any other vulnerability which depends on the `hostname` field of parsed URL. CVE-2022-0691 url-parse is unable to find the correct hostname when the URL contains a backspace `\b` character. This tricks the parser into interpreting the URL as a relative path, bypassing all hostname checks. It can also lead to false positive in `extractProtocol()`. For Debian 10 buster, these problems have been fixed in version 1.2.0-2+deb10u2. We recommend that you upgrade your node-url-parse packages. For the detailed security status of node-url-parse please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-url-parse Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature