Skip to content
This repository has been archived by the owner on Feb 18, 2022. It is now read-only.

Security Alert - Package: url-parse; Severity: MODERATE #790

Open
phenggeler opened this issue Jan 25, 2022 · 1 comment
Open

Security Alert - Package: url-parse; Severity: MODERATE #790

phenggeler opened this issue Jan 25, 2022 · 1 comment

Comments

@phenggeler
Copy link

phenggeler commented Jan 25, 2022

    Affected package: url-parse
    Ecosystem: NPM
    Affected version range: < 1.5.0

    Summary: Path traversal in url-parse
    Description: url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-9m6j-fcg5-2442'}, {'type': 'CVE', 'value': 'CVE-2021-27515'}]

    Fixed Version: 1.5.0
    Created Date = January 25, 2022

    

    ---
    
    Affected package: url-parse
    Ecosystem: NPM
    Affected version range: < 1.5.2

    Summary: Open redirect in url-parse
    Description: # Overview

Affected versions of npm url-parse are vulnerable to URL Redirection to Untrusted Site.

Impact

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
identifiers: [{'type': 'GHSA', 'value': 'GHSA-hh27-ffr2-f2jc'}, {'type': 'CVE', 'value': 'CVE-2021-3664'}]

    Fixed Version: 1.5.2
    Created Date = January 25, 2022

    

    ---
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants