Bug 2060018 (CVE-2022-0686) - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key
Summary: CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key
Keywords:
Status: NEW
Alias: CVE-2022-0686
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2060936 2060937 2060940
Blocks: 2057443
TreeView+ depends on / blocked
 
Reported: 2022-03-02 14:21 UTC by Marian Rehak
Modified: 2022-05-09 08:32 UTC (History)
16 users (show)

Fixed In Version: url-parse 1.5.8
Doc Type: If docs needed, set a value
Doc Text:
An authorization bypass flaw was found in url-parse. While submitting a URL, a local unauthenticated attacker can add a trailing colon (:), but omit the port number. This issue enables an open redirect that allows the exposure of sensitive information or spamming of infrastructure outside the vulnerable server.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2022-03-02 14:21:44 UTC
Authorization Bypass Through User-Controlled Key in NPM url-parse.

Reference:

https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5

Comment 2 juneau 2022-03-04 15:55:04 UTC
services affected per following:

services-ccx/advisor-frontend:a764354/url-parse-1.5.1 https://github.com/RedHatInsights/ocp-advisor-frontend/blob/prod-stable/package-lock.json

services-management-platform/frontend-starter-app/frontend-starter-app:2b2ef7d/url-parse-1.5.1 https://github.com/RedHatInsights/sed-frontend/blob/master/package-lock.json

services-rhods/rhods/jupyterhub-odh:64e363a/url-parse-1.4.7 https://github.com/red-hat-data-services/jupyterhub-odh/blob/master/package-lock.json

services-rhcert/rhcert-spa:c8824a1/url-parse-1.5.3 https://gitlab.cee.redhat.com/certification/rhcert-spa/blob/master/package-lock.json
services-rhcert/rhcert-spa:c8824a1/url-parse-1.5.3 https://gitlab.cee.redhat.com/certification/rhcert-spa/blob/master/yarn.lock

services-assisted-installer/facet:11c368f/url-parse-1.5.3 https://github.com/openshift-assisted/assisted-ui/blob/master/yarn.lock


Note You need to log in before you can comment on or make changes to this bug.