Debian 9820 Published by

A node-url-parse security update has been released for Debian GNU/Linux 10 LTS to address multiple vulnerabilities.



DLA 3336-1: node-url-parse security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3336-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Guilhem Moulin
February 23, 2023   https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : node-url-parse
Version : 1.2.0-2+deb10u2
CVE ID : CVE-2021-3664 CVE-2021-27515 CVE-2022-0512 CVE-2022-0639
CVE-2022-0686 CVE-2022-0691
Debian Bug : 985110 991577

Multiple vulnerabilities were found in node-types-url-parse, a Node.js
module used to parse URLs, which may result in authorization bypass or
redirection to untrusted sites.

CVE-2021-3664

url-parse mishandles certain uses of a single (back)slash such as
https:\ & https:/ and interprets the URI as a relative path.
Browsers accept a single backslash after the protocol, and treat it
as a normal slash, while url-parse sees it as a relative path.
Depending on library usage, this may result in allow/block list
bypasses, SSRF attacks, open redirects, or other undesired behavior.

CVE-2021-27515

Using backslash in the protocol is valid in the browser, while
url-parse thinks it's a relative path. An application that
validates a URL using url-parse might pass a malicious link.

CVE-2022-0512

Incorrect handling of username and password can lead to failure to
properly identify the hostname, which in turn could result in
authorization bypass.

CVE-2022-0639

Incorrect conversion of `@` characters in protocol in the `href`
field can lead to lead to failure to properly identify the hostname,
which in turn could result in authorization bypass.

CVE-2022-0686

Rohan Sharma reported that url-parse is unable to find the correct
hostname when no port number is provided in the URL, such as in
`  http://example.com:`. This could in turn result in SSRF attacks,
open redirects or any other vulnerability which depends on the
`hostname` field of parsed URL.

CVE-2022-0691

url-parse is unable to find the correct hostname when the URL
contains a backspace `\b` character. This tricks the parser into
interpreting the URL as a relative path, bypassing all hostname
checks. It can also lead to false positive in `extractProtocol()`.

For Debian 10 buster, these problems have been fixed in version
1.2.0-2+deb10u2.

We recommend that you upgrade your node-url-parse packages.

For the detailed security status of node-url-parse please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/node-url-parse

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS