1915257 – (CVE-2020-26291) CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL

Bug 1915257 (CVE-2020-26291) - CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL

Summary: CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-26291
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1916272 1916273 1916274 1916275 1917715 1917716
Blocks:	1916127
TreeView+	depends on / blocked

Reported:	2021-01-12 10:59 UTC by Michael Kaplan
Modified:	2021-10-19 14:08 UTC (History)
CC List:	4 users (show)
Fixed In Version:	urijs 1.19.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in urijs. The hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Clone Of:
Environment:
Last Closed:	2021-10-19 14:08:24 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:3917	0	None	None	None	2021-10-19 12:10:28 UTC

Description Michael Kaplan 2021-01-12 10:59:52 UTC

In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]

External References: 

https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155
https://github.com/medialize/URI.js/releases/tag/v1.19.4
https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg
https://www.npmjs.com/package/urijs

Comment 3 Mark Cooper 2021-01-18 06:00:03 UTC

Upstream fix: https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155

Comment 6 errata-xmlrpc 2021-10-19 12:10:26 UTC

This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917

Comment 7 Product Security DevOps Team 2021-10-19 14:08:24 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26291

Note You need to log in before you can comment on or make changes to this bug.