Bug 1989389 (CVE-2021-3664)

Summary: CVE-2021-3664 nodejs-url-parse: URL Redirection to Untrusted Site
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anpicker, anstephe, aos-bugs, bdettelb, bmontgom, caswilli, chazlett, emingora, eparis, fjansen, gmalinko, gparvin, ibek, janstey, jburrell, jochrist, jrokos, jross, jwendell, jwon, kaycoth, kverlaen, mnovotny, nstielau, pjindal, rcernich, rfreiman, rgodfrey, rguimara, spasquie, sponnaga, stcannon, tcarlin, tomckay, twalsh, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: url-parse 1.5.2 Doc Type: No Doc Update
Doc Text:
An input validation flaw was found in the nodejs url-parse library, which incorrectly parses a URL that contains backslashes. This flaw allows an attacker to specify a relative URL and cause the browser to redirect to a malicious website. The highest threat from this vulnerability is to integrity. Related vulnerability is CVE-2021-27515.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1992093, 1992094, 1992095, 1992783, 1992784, 1992785, 1992786, 1992787, 1992819, 1995342    
Bug Blocks: 1989390    

Description Dhananjay Arunesh 2021-08-03 06:16:35 UTC 
A vulnerability was found in nodejs-url-parse where url-parse is vulnerable to URL Redirection to Untrusted Site.

References:
https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0
Comment 5 Stoyan Nikolov 2021-08-03 08:00:51 UTC 
Upstream fix: https://github.com/unshiftio/url-parse/pull/208
Comment 6 Przemyslaw Roguski 2021-08-04 17:34:21 UTC 
This vulnerability is exactly like CVE-2021-27515.
The fix looks like a incomplete fix for CVE-2021-27515 (https://github.com/unshiftio/url-parse/pull/197/files).
Comment 11 Jon Blackburn 2021-08-12 14:48:08 UTC 
This is only pulled in by default with the webpack-dev-server.  We don't actually use the url-parse package in our application.  Is there anything else we need to do with this?