UbuntuUpdates.org

Package "node-url-parse"

Name: node-url-parse

Description:

Parse URL in node using the URL module and in the browser using the DOM
Latest version: 1.2.0-1ubuntu0.1
Release: bionic (18.04)
Level: security
Repository: universe
Homepage: https://github.com/unshiftio/url-parse#readme

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "node-url-parse"

All arch deb package
APT INSTALL

Other versions of "node-url-parse" in Bionic

Repository Area Version
base universe 1.2.0-1
updates universe 1.2.0-1ubuntu0.1

Changelog

Version: 1.2.0-1ubuntu0.1 2023-03-27 16:06:54 UTC

  node-url-parse (1.2.0-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Authorization Bypass
    - debian/patches/CVE-2022-0512[1-7].patch: fixed improper input handeling
      in node-url-parse for input containing the at sign.
    - debian/patches/CVE-2022-0639[1-2].patch: fixed improper input handeling
      in node-url-parse in toString function.
    - debian/patches/CVE-2022-0686[1-7].patch: fixed improper input handeling
      in node-url-parse when input contains specified but empty port.
    - debian/patches/CVE-2022-0691[1-4].patch: fixed improper input handeling
      in node-url-parse for input containing URL beginning with control
      characters.
    - CVE-2022-0512
    - CVE-2022-0639
    - CVE-2022-0686
    - CVE-2022-0691
  * SECURITY UPDATE: Open Redirect, SSRF, and DoS
    - debian/patches/CVE-2018-3774[1-4].patch: fixed improper input handeling
      in node-url-parse when cerain carafted hostnames.
    - debian/patches/CVE-2021-27515[1-2].patch: fixed improper input handeling
      in node-url-parse for input containing backslash.
    - debian/patches/CVE-2021-3664[1-5].patch: fixed improper input handeling
      in node-url-parse for input containing backslash.
    - CVE-2018-3774
    - CVE-2021-27515
    - CVE-2021-3664
  * SECURITY UPDATE: Bypass Input Validation
    - debian/patches/CVE-2020-8124.patch: fixed improper input handeling
      in node-url-parse when using in the browser.
    - CVE-2020-8124

 -- Amir Naseredini <email address hidden> Thu, 23 Mar 2023 14:28:19 +0000
CVE-2022-0512 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
CVE-2022-0639 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
CVE-2022-0686 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
CVE-2022-0691 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
CVE-2018-3774 Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authenticati
CVE-2021-27515 url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
CVE-2021-3664 url-parse is vulnerable to URL Redirection to Untrusted Site
CVE-2020-8124 Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass securit


About   -   Send Feedback to @ubuntu_updates