Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.
Created nodejs-url-parse-lax tracking bugs for this issue:
Affects: epel-7 [bug 1802346]
OpenShift ServiceMesh is packaging a vulnerable version of nodejs url-parse (1.4.4) in the container:
Also found in the kiali rpm.
The grafana component included within ServiceMesh itself, also includes url-parse but is version 1.4.7 and is not vulnerable.
This issue has been addressed in the following products:
Openshift Service Mesh 1.0
Via RHSA-2020:0972 https://access.redhat.com/errata/RHSA-2020:0972
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):