Skip to content
This repository has been archived by the owner on Feb 18, 2022. It is now read-only.

Security Alert - Package: url-parse; Severity: MODERATE #790

Open
phenggeler opened this issue Jan 25, 2022 · 1 comment
Open

Security Alert - Package: url-parse; Severity: MODERATE #790

phenggeler opened this issue Jan 25, 2022 · 1 comment

Comments

@phenggeler
Copy link

phenggeler commented Jan 25, 2022
edited 

    Affected package: url-parse
    Ecosystem: NPM
    Affected version range: < 1.5.0

    Summary: Path traversal in url-parse
    Description: url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-9m6j-fcg5-2442'}, {'type': 'CVE', 'value': 'CVE-2021-27515'}]

    Fixed Version: 1.5.0
    Created Date = January 25, 2022

    

    ---
    
    Affected package: url-parse
    Ecosystem: NPM
    Affected version range: < 1.5.2

    Summary: Open redirect in url-parse
    Description: # Overview

Affected versions of npm url-parse are vulnerable to URL Redirection to Untrusted Site.

Impact

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
identifiers: [{'type': 'GHSA', 'value': 'GHSA-hh27-ffr2-f2jc'}, {'type': 'CVE', 'value': 'CVE-2021-3664'}]

    Fixed Version: 1.5.2
    Created Date = January 25, 2022

    

    ---
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Catacola @phenggeler