CVE-2022-24723 - OpenCVE

URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Uri.js Project	Uri.js

Configuration 1 [-]

cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/medialize/URI.js/releases/tag/v1.19.9	Release Notes Third Party Advisory
https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f	Mitigation Third Party Advisory
https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316	Patch Third Party Advisory
https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/	Exploit Issue Tracking Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-03-03T20:35:11

Updated: 2022-03-03T20:35:11

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24723

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-03T21:15:07.813

Modified: 2023-07-03T20:35:47.993

Link: CVE-2022-24723

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "URI.js", "vendor": "medialize", "versions": [{"status": "affected", "version": "< 1.19.9"}]}], "descriptions": [{"lang": "en", "value": "URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-03T20:35:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"}, {"tags": ["x_refsource_MISC"], "url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"}], "source": {"advisory": "GHSA-gmv4-r438-p67f", "discovery": "UNKNOWN"}, "title": "Improper Input Validation in URI.js", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24723", "STATE": "PUBLIC", "TITLE": "Improper Input Validation in URI.js"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "URI.js", "version": {"version_data": [{"version_value": "< 1.19.9"}]}}]}, "vendor_name": "medialize"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f", "refsource": "CONFIRM", "url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"}, {"name": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316", "refsource": "MISC", "url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"}, {"name": "https://github.com/medialize/URI.js/releases/tag/v1.19.9", "refsource": "MISC", "url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"}, {"name": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/", "refsource": "MISC", "url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"}]}, "source": {"advisory": "GHSA-gmv4-r438-p67f", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24723", "datePublished": "2022-03-03T20:35:11", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2022-03-03T20:35:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "251A4CCE-55A2-4822-AC5A-03F406193362", "versionEndExcluding": "1.19.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround."}, {"lang": "es", "value": "URI.js es una biblioteca de mutaci\u00f3n de URLs en Javascript. En versiones anteriores a 1.19.9, los caracteres de espacio en blanco no eran eliminadas del principio del protocolo, por lo que las URL no eran analizadas correctamente. Este problema ha sido corregido en versi\u00f3n 1.19.9. Puede usarse como medida de mitigaci\u00f3n eliminar los espacios en blanco al principio de los valores antes de pasarlos a URI.parse"}], "id": "CVE-2022-24723", "lastModified": "2023-07-03T20:35:47.993", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-03-03T21:15:07.813", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}