URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround. References: https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/ Upstream patch: https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316
Created dotnet3.1 tracking bugs for this issue: Affects: fedora-all [bug 2062372] Created nodejs-bash-language-server tracking bugs for this issue: Affects: fedora-all [bug 2062371]
Services affected/delegated: services-insights-essentials/remediations/insights-remediations:971e5ea/urijs-1.19.6 https://github.com/RedHatInsights/insights-remediations/blob/master/package-lock.json services-insights-essentials/remediations/remediations:971e5ea/urijs-1.19.6 https://github.com/RedHatInsights/insights-remediations/blob/master/package-lock.json services-insights-essentials/insights-remediations-frontend/insights-remediations-frontend:288a20a/urijs-1.19.10 https://github.com/RedHatInsights/insights-remediations-frontend/blob/master/package-lock.json services-advisor/advisor/insights-advisor-frontend:95f9c0c/urijs-1.19.7 https://github.com/RedHatInsights/insights-advisor-frontend/blob/production/package-lock.json services-compliance/compliance/compliance-frontend:634d358/urijs-1.19.7 https://github.com/RedHatInsights/compliance-frontend/blob/master/package-lock.json
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:1715 https://access.redhat.com/errata/RHSA-2022:1715
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24723
This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652