Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. References: https://hackerone.com/reports/496293
Upstream commit: https://github.com/unshiftio/url-parse/commit/3ecd256f127c3ada36a84d9b8dd3ebd14316274b
Created nodejs-url-parse-lax tracking bugs for this issue: Affects: epel-7 [bug 1802346]
OpenShift ServiceMesh is packaging a vulnerable version of nodejs url-parse (1.4.4) in the container: - distributed-tracing/jaeger-rhel7-operator Also found in the kiali rpm. The grafana component included within ServiceMesh itself, also includes url-parse but is version 1.4.7 and is not vulnerable.
This issue has been addressed in the following products: Openshift Service Mesh 1.0 Via RHSA-2020:0972 https://access.redhat.com/errata/RHSA-2020:0972
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8124