[SECURITY] [DLA 3336-1] node-url-parse security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3336-1] node-url-parse security update
From: Guilhem Moulin <guilhem@debian.org>
Date: Thu, 23 Feb 2023 01:55:13 +0100
Message-id: <Y/a5cbeMzR3LihNx@debian.org>
Mail-followup-to: debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3336-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
February 23, 2023                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : node-url-parse
Version        : 1.2.0-2+deb10u2
CVE ID         : CVE-2021-3664 CVE-2021-27515 CVE-2022-0512 CVE-2022-0639
                 CVE-2022-0686 CVE-2022-0691
Debian Bug     : 985110 991577

Multiple vulnerabilities were found in node-types-url-parse, a Node.js
module used to parse URLs, which may result in authorization bypass or
redirection to untrusted sites.

CVE-2021-3664

    url-parse mishandles certain uses of a single (back)slash such as
    https:\ & https:/ and interprets the URI as a relative path.
    Browsers accept a single backslash after the protocol, and treat it
    as a normal slash, while url-parse sees it as a relative path.
    Depending on library usage, this may result in allow/block list
    bypasses, SSRF attacks, open redirects, or other undesired behavior.

CVE-2021-27515

    Using backslash in the protocol is valid in the browser, while
    url-parse thinks it's a relative path.  An application that
    validates a URL using url-parse might pass a malicious link.

CVE-2022-0512

    Incorrect handling of username and password can lead to failure to
    properly identify the hostname, which in turn could result in
    authorization bypass.

CVE-2022-0639

    Incorrect conversion of `@` characters in protocol in the `href`
    field can lead to lead to failure to properly identify the hostname,
    which in turn could result in authorization bypass.

CVE-2022-0686

    Rohan Sharma reported that url-parse is unable to find the correct
    hostname when no port number is provided in the URL, such as in
    `http://example.com:`.  This could in turn result in SSRF attacks,
    open redirects or any other vulnerability which depends on the
    `hostname` field of parsed URL.

CVE-2022-0691

    url-parse is unable to find the correct hostname when the URL
    contains a backspace `\b` character.  This tricks the parser into
    interpreting the URL as a relative path, bypassing all hostname
    checks.  It can also lead to false positive in `extractProtocol()`.

For Debian 10 buster, these problems have been fixed in version
1.2.0-2+deb10u2.

We recommend that you upgrade your node-url-parse packages.

For the detailed security status of node-url-parse please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-url-parse

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 3335-1] asterisk security update
Next by Date: [SECURITY] [DLA 3337-1] mariadb-10.3 security update
Previous by thread: [SECURITY] [DLA 3335-1] asterisk security update
Next by thread: [SECURITY] [DLA 3337-1] mariadb-10.3 security update
Index(es):
- Date
- Thread