fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URIs authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B’s state.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fast-uri | Openjsf | * | 3.1.2 (excluding) |
| Red Hat Ansible Automation Platform 2.6 for RHEL 9 | RedHat | automation-platform-ui-0:2.6.10-1.el9ap | * |
| Red Hat Enterprise Linux 10 | RedHat | rh-podman-desktop-0:1.1.1-1.el10_2 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9:1782840519 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9:1782839981 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9:1782839193 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-rhel9:1782838753 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-pf4-rhel9:1782839279 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-pf5-rhel9:1782840539 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-rhel9:1782841925 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/monitoring-console-plugin-rhel9:1782838476 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/troubleshooting-panel-console-plugin-pf6-rhel9:1782839996 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9:1782839494 | * |
| Multicluster engine for Kubernetes 2.11 | RedHat | multicluster-engine/console-mce-rhel9:1780910888 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.16 | RedHat | rhacm2/console-rhel9:1780600823 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/gateway-rhel9:1782761510 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-tech-preview/mcp-server-rhel9:1782721130 | * |
| Red Hat Developer Hub 1.10 | RedHat | rhdh/rhdh-hub-rhel9:1783448184 | * |
| Red Hat Developer Hub 1.9 | RedHat | rhdh/rhdh-hub-rhel9:1781187342 | * |
| Red Hat Discovery 2 | RedHat | discovery/discovery-ui-rhel9:1782166952 | * |
| Red Hat Edge Manager 1.0 | RedHat | rhem/flightctl-ui-ocp-rhel9:1783502765 | * |
| Red Hat Edge Manager 1.0 | RedHat | rhem/flightctl-ui-rhel9:1783502438 | * |
| Red Hat OpenShift Container Platform 4.19 | RedHat | openshift4/ose-monitoring-plugin-rhel9:1782880472 | * |
| Red Hat OpenShift Container Platform 4.20 | RedHat | openshift4/ose-monitoring-plugin-rhel9:1782313844 | * |
| Red Hat OpenShift Container Platform 4.21 | RedHat | openshift4/ose-monitoring-plugin-rhel9:1782308519 | * |
| Red Hat OpenShift Container Platform 4.21 | RedHat | openshift4/nmstate-console-plugin-rhel9:1782914001 | * |
| Red Hat OpenShift Container Platform 4.22 | RedHat | openshift4/ose-console-rhel9:1782224390 | * |
| Red Hat OpenShift Container Platform 4.22 | RedHat | openshift4/ose-monitoring-plugin-rhel9:1782224316 | * |
| Red Hat OpenShift Container Platform 4.22 | RedHat | openshift4/nmstate-console-plugin-rhel9:1782224099 | * |
| Red Hat Quay 3.10 | RedHat | quay/quay-rhel8:1782487717 | * |
| Red Hat Quay 3.12 | RedHat | quay/quay-rhel8:1781937357 | * |
| Red Hat Quay 3.9 | RedHat | quay/quay-rhel8:1781878070 | * |
| Red Hat Satellite 6.18 | RedHat | satellite/iop-vulnerability-frontend-rhel9:1781032495 | * |
| Node-ajv | Ubuntu | questing | * |