CVE-2021-27516 - OpenCVE

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Uri.js Project	Uri.js

Configuration 1 [-]

cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*

References

Link	Resource
https://advisory.checkmarx.net/advisory/CX-2021-4305	Exploit Third Party Advisory
https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839	Patch Third Party Advisory
https://github.com/medialize/URI.js/releases/tag/v1.19.6	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-02-21T23:29:56

Updated: 2021-03-30T15:51:07

Reserved: 2021-02-21T00:00:00

Link: CVE-2021-27516

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-02-22T00:15:12.620

Modified: 2022-11-29T15:01:10.963

Link: CVE-2021-27516

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-30T15:51:07", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/medialize/URI.js/releases/tag/v1.19.6"}, {"tags": ["x_refsource_MISC"], "url": "https://advisory.checkmarx.net/advisory/CX-2021-4305"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27516", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839", "refsource": "MISC", "url": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839"}, {"name": "https://github.com/medialize/URI.js/releases/tag/v1.19.6", "refsource": "MISC", "url": "https://github.com/medialize/URI.js/releases/tag/v1.19.6"}, {"name": "https://advisory.checkmarx.net/advisory/CX-2021-4305", "refsource": "MISC", "url": "https://advisory.checkmarx.net/advisory/CX-2021-4305"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27516", "datePublished": "2021-02-21T23:29:56", "dateReserved": "2021-02-21T00:00:00", "dateUpdated": "2021-03-30T15:51:07", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "36DFF109-A827-4D9A-9790-55C2564E83EB", "versionEndExcluding": "1.19.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path."}, {"lang": "es", "value": "URI.js (tambi\u00e9n se conoce como urijs) versiones anteriores a 1.19.6, maneja inapropiadamente determinados usos de barra invertida como http:\\/ e interpreta el URI como una ruta relativa"}], "id": "CVE-2021-27516", "lastModified": "2022-11-29T15:01:10.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-22T00:15:12.620", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://advisory.checkmarx.net/advisory/CX-2021-4305"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/medialize/URI.js/releases/tag/v1.19.6"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}