PT-2018-11030 · Node.Js+3 · Node.Js+3

Martin Bajanik

Published

2018-11-27

Updated

2024-12-13

CVE-2018-12123

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions prior to 6.15.0 Node.js versions prior to 8.14.0 Node.js versions prior to 10.14.0 Node.js versions prior to 11.3.0

Description The issue concerns hostname spoofing in the URL parser for the javascript protocol. If a Node.js application uses url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" protocol, such as "javAscript:". This affects security decisions made about the URL based on the hostname, which may be incorrect. Other protocols are not affected by this issue.

Recommendations For versions prior to 6.15.0, update to version 6.15.0 or later. For versions prior to 8.14.0, update to version 8.14.0 or later. For versions prior to 10.14.0, update to version 10.14.0 or later. For versions prior to 11.3.0, update to version 11.3.0 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-115

Related Identifiers

ALT-PU-2018-2749

BDU:2026-01430

CVE-2018-12123

MGASA-2019-0277

OPENSUSE-SU-2019:0089-1

OPENSUSE-SU-2019_0088-1

OPENSUSE-SU-2019_0089-1

OPENSUSE-SU-2019_0234-1

RHSA-2019:1821

RHSA-2019:2939

SUSE-SU-2019:0117-1

SUSE-SU-2019:0118-1

SUSE-SU-2019:0395-1

SUSE-SU-2019:14246-1

SUSE-SU-2019_14246-1

USN-4796-1

Affected Products

Alt Linux

Node.Js

Suse

Ubuntu

PT-2018-11030 · Node.Js+3 · Node.Js+3

CVE-2018-12123

Weakness Enumeration

Related Identifiers

Affected Products

References · 295