-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed #188
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
Mar 27, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Mar 28, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
Mar 28, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Mar 28, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
Mar 28, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Mar 28, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
Mar 29, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Mar 30, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
Mar 30, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Mar 30, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Mar 31, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
Mar 31, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Mar 31, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
Apr 3, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Apr 3, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
Apr 3, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Apr 3, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
Apr 17, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
chore(deps): update dependency urijs to 1.19.11 [security]
Apr 18, 2023
renovate
bot
changed the title
chore(deps): update dependency urijs to 1.19.11 [security]
chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed
May 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.19.2
->1.19.11
GitHub Vulnerability Alerts
CVE-2020-26291
Impact
If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (
\
) character followed by an at (@
) character. If the hostname is used in security decisions, the decision may be incorrect.Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL:
https://expected-example.com\@​observed-example.com
Escaped string:
https://expected-example.com\\@​observed-example.com
(JavaScript strings must escape backslash)Affected versions incorrectly return
observed-example.com
. Patched versions correctly returnexpected-example.com
. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.Patches
Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.
References
https://github.com/medialize/URI.js/releases/tag/v1.19.4 (complete fix for this bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (partial fix for this bypass)
PR #233 (initial fix for backslash handling)
For more information
If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js
Reporter credit
Alesandro Ortiz
CVE-2021-27516
Impact
If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (
\
) character as part of the scheme delimiter, e.g.scheme:/\hostname
. If the hostname is used in security decisions, the decision may be incorrect.Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL:
https:/\expected-example.com/path
Escaped string:
https:/\\expected-example.com/path
(JavaScript strings must escape backslash)Affected versions incorrectly return no hostname. Patched versions correctly return
expected-example.com
. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.Patches
Version 1.19.6 is patched against all known payload variants.
References
https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for this particular bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass)
PR #233 (initial fix for backslash handling)
For more information
If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js
Reporter credit
Yaniv Nizry from the CxSCA AppSec team at Checkmarx
CVE-2021-3647
Impact
If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a combination of backslash (
\
) and slash (/
) characters as part of the scheme delimiter, e.g.scheme:/\/\/\hostname
. If the hostname is used in security decisions, the decision may be incorrect.Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL:
https:/\/\/\expected-example.com/path
Escaped string:
https:/\\/\\/\\expected-example.com/path
(JavaScript strings must escape backslash)Affected versions incorrectly return no hostname. Patched versions correctly return
expected-example.com
. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.Patches
Version 1.19.7 is patched against all known payload variants.
References
https://github.com/medialize/URI.js/releases/tag/v1.19.7 (fix for this particular bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for related bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass)
PR #233 (initial fix for backslash handling)
For more information
If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js
Reporter credit
ready-research via https://huntr.dev/
CVE-2022-0613
Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for CVE-2021-3647.
CVE-2022-24723
Impact
Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.
Patches
Patched in 1.19.9
Workarounds
Remove leading whitespace from values before passing them to URI.parse (e.g. via
.href(value)
ornew URI(value)
), e.g. by usingReferences
For more information
If you have any questions or comments about this advisory:
CVE-2022-0868
urijs prior to version 1.19.10 is vulnerable to open redirect. This is the result of a bypass for the fix to CVE-2022-0613.
CVE-2022-1233
Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as https://www.example.com instead. For example, the following will cause a redirect to https://www.example.com: A fix was released in version 1.19.11.
CVE-2022-1243
\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.
This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.