Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7. https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788 https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155
services affected per following: services-ccx/advisor-frontend:a764354/url-parse-1.5.1 https://github.com/RedHatInsights/ocp-advisor-frontend/blob/prod-stable/package-lock.json services-management-platform/frontend-starter-app/frontend-starter-app:2b2ef7d/url-parse-1.5.1 https://github.com/RedHatInsights/sed-frontend/blob/master/package-lock.json services-rhods/rhods/jupyterhub-odh:64e363a/url-parse-1.4.7 https://github.com/red-hat-data-services/jupyterhub-odh/blob/master/package-lock.json services-rhcert/rhcert-spa:c8824a1/url-parse-1.5.3 https://gitlab.cee.redhat.com/certification/rhcert-spa/blob/master/package-lock.json services-rhcert/rhcert-spa:c8824a1/url-parse-1.5.3 https://gitlab.cee.redhat.com/certification/rhcert-spa/blob/master/yarn.lock services-assisted-installer/facet:11c368f/url-parse-1.5.3 https://github.com/openshift-assisted/assisted-ui/blob/master/yarn.lock
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:6429 https://access.redhat.com/errata/RHSA-2022:6429
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0639