Headline
CVE-2022-0691: [fix] Strip all control characters from the beginning of the URL · unshiftio/url-parse@0e3fb54
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
@@ -47,8 +47,14 @@ describe('url-parse’, function () {
assume(parse.trimLeft).is.a(‘function’);
});
it('removes whitespace on the left’, function () {
assume(parse.trimLeft(' lol’)).equals(‘lol’);
it('removes control characters on the left’, function () {
var i = 0;
var prefix = ‘’
for (; i < 33; i++) {
prefix = String.fromCharCode(i);
assume(parse.trimLeft(prefix + prefix +’lol’)).equals(‘lol’);
}
});
it('calls toString on a given value’, function () {
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed.
Red Hat Security Advisory 2022-6429-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include bypass, code execution, and denial of service vulnerabilities.
The Migration Toolkit for Containers (MTC) 1.7.4 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28500: nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions * CVE-2021-23337: nodejs-lodash: command injection via template * CVE-2022-0512: nodejs-url-parse: authorization bypass through user-controlled key * CVE-2022-0639: npm-url-parse: Authorization Bypass Through User-Controlled Key * CVE-2022-0686: npm-url-parse: Authorization bypass thr...