url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Url-parse | Url-parse_project | * | 1.5.0 (excluding) |
| Red Hat Quay 3 | RedHat | quay/quay-rhel8:v3.6.0-62 | * |
| Node-url-parse | Ubuntu | bionic | * |
| Node-url-parse | Ubuntu | esm-apps/bionic | * |
| Node-url-parse | Ubuntu | esm-apps/focal | * |
| Node-url-parse | Ubuntu | esm-apps/xenial | * |
| Node-url-parse | Ubuntu | focal | * |
| Node-url-parse | Ubuntu | groovy | * |
| Node-url-parse | Ubuntu | hirsute | * |
| Node-url-parse | Ubuntu | impish | * |
| Node-url-parse | Ubuntu | lunar | * |
| Node-url-parse | Ubuntu | mantic | * |
| Node-url-parse | Ubuntu | trusty | * |
| Node-url-parse | Ubuntu | upstream | * |
| Node-url-parse | Ubuntu | xenial | * |
References
- https://advisory.checkmarx.net/advisory/CX-2021-4306
- https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0
- https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0
- https://github.com/unshiftio/url-parse/pull/197
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://advisory.checkmarx.net/advisory/CX-2021-4306
- https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0
- https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0
- https://github.com/unshiftio/url-parse/pull/197
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html