Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9. Reference: https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63 https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4
services affected per following: services-ccx/advisor-frontend:a764354/url-parse-1.5.1 https://github.com/RedHatInsights/ocp-advisor-frontend/blob/prod-stable/package-lock.json services-management-platform/frontend-starter-app/frontend-starter-app:2b2ef7d/url-parse-1.5.1 https://github.com/RedHatInsights/sed-frontend/blob/master/package-lock.json services-rhods/rhods/jupyterhub-odh:64e363a/url-parse-1.4.7 https://github.com/red-hat-data-services/jupyterhub-odh/blob/master/package-lock.json services-rhcert/rhcert-spa:c8824a1/url-parse-1.5.3 https://gitlab.cee.redhat.com/certification/rhcert-spa/blob/master/package-lock.json services-rhcert/rhcert-spa:c8824a1/url-parse-1.5.3 https://gitlab.cee.redhat.com/certification/rhcert-spa/blob/master/yarn.lock services-assisted-installer/facet:11c368f/url-parse-1.5.3 https://github.com/openshift-assisted/assisted-ui/blob/master/yarn.lock
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:6429 https://access.redhat.com/errata/RHSA-2022:6429
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0691