PT-2018-11030 · Node.Js+3 · Node.Js+3

Martin Bajanik

Publicado

2018-11-27

Atualizado

2024-12-13

CVE-2018-12123

CVSS v3.1

4.3

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions prior to 6.15.0 Node.js versions prior to 8.14.0 Node.js versions prior to 10.14.0 Node.js versions prior to 11.3.0

Description The issue concerns hostname spoofing in the URL parser for the javascript protocol. If a Node.js application uses url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" protocol, such as "javAscript:". This affects security decisions made about the URL based on the hostname, which may be incorrect. Other protocols are not affected by this issue.

Recommendations For versions prior to 6.15.0, update to version 6.15.0 or later. For versions prior to 8.14.0, update to version 8.14.0 or later. For versions prior to 10.14.0, update to version 10.14.0 or later. For versions prior to 11.3.0, update to version 11.3.0 or later.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20CWE-115

Identificadores relacionados

ALT-PU-2018-2749

BDU:2026-01430

CVE-2018-12123

MGASA-2019-0277

OPENSUSE-SU-2019:0089-1

OPENSUSE-SU-2019_0088-1

OPENSUSE-SU-2019_0089-1

OPENSUSE-SU-2019_0234-1

RHSA-2019:1821

RHSA-2019:2939

SUSE-SU-2019:0117-1

SUSE-SU-2019:0118-1

SUSE-SU-2019:0395-1

SUSE-SU-2019:14246-1

SUSE-SU-2019_14246-1

USN-4796-1

Produtos afetados

Alt Linux

Node.Js

Suse

Ubuntu

PT-2018-11030 · Node.Js+3 · Node.Js+3

CVE-2018-12123

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 295