Description
Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for CVE-2021-3647.
Recommendation
Update the urijs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.19.8
- Patched version(s): 1.19.8
References
- GHSA-gcv8-gh4r-25x6
- huntr.dev
- lists.fedoraproject.org
- CVE-2022-0613
- CWE-639
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- URIjs Vulnerable to Hostname spoofing via backslashes in URL - CVE-2021-3647
- Budibase affected by VM2 Constructor Escape Vulnerability - Vulnerability
- Marvin Attack of RSA and RSAOAEP decryption in jsrsasign - CVE-2024-21484
- URIjs Hostname spoofing via backslashes in URL - CVE-2021-27516
- Tags:
- npm
- urijs
Anything's wrong? Let us know Last updated on February 03, 2023