Description
Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for CVE-2021-3647.
Recommendation
Update the urijs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.19.8
- Patched version(s): 1.19.8
References
- GHSA-gcv8-gh4r-25x6
- huntr.dev
- lists.fedoraproject.org
- CVE-2022-0613
- CWE-639
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Authorization Bypass Through User-Controlled Key in url-parse - CVE-2022-0686
- StudioCMS has Authorization Bypass Through User-Controlled Key - CVE-2026-24134
- matrix-js-sdk subject to user impersonation due to key/device identifier confusion in SAS verification - CVE-2022-39250
- Authorization bypass in url-parse - CVE-2022-0512
- Tags:
- npm
- urijs
Anything's wrong? Let us know Last updated on February 03, 2023