Bug 1934470 (CVE-2021-27516) - CVE-2021-27516 nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise
Summary: CVE-2021-27516 nodejs-urijs: mishandling certain uses of backslash may lead t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-27516
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1934471
TreeView+ depends on / blocked
 
Reported: 2021-03-03 10:23 UTC by Marian Rehak
Modified: 2021-10-19 14:08 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-urijs where URI.js (urijs) mishandles certain uses of the backslash such as http:\/ and interprets the URI as a relative path. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-10-19 14:08:37 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3917 0 None None None 2021-10-19 12:10:47 UTC

Description Marian Rehak 2021-03-03 10:23:56 UTC 
URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.

Reference:

https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839
https://github.com/medialize/URI.js/releases/tag/v1.19.6
Comment 4 RaTasha Tillery-Smith 2021-03-08 18:18:31 UTC 
Statement:

Red Hat Quay includes the urijs dependency in it's package.lock file but it's not used anywhere in the code.

Red Hat Advanced Cluster Management for Kubernetes uses Quay as a service, but not code from Quay that exists in RHACM.
Comment 6 errata-xmlrpc 2021-10-19 12:10:46 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
Comment 7 Product Security DevOps Team 2021-10-19 14:08:37 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27516
Note You need to log in before you can comment on or make changes to this bug.