Bug 1196743 - (CVE-2022-24723) VUL-1: CVE-2022-24723: nodejs10,nodejs6,nodejs8,nodejs12,nodejs14,nodejs4,nodejs16: Leading white space bypasses protocol validation in URI.js
(CVE-2022-24723)
VUL-1: CVE-2022-24723: nodejs10,nodejs6,nodejs8,nodejs12,nodejs14,nodejs4,nod...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Adam Majer
Security Team bot
https://smash.suse.de/issue/325316/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-04 08:42 UTC by Thomas Leroy
Modified: 2022-03-07 13:34 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-04 08:42:07 UTC
CVE-2022-24723

URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace
characters are not removed from the beginning of the protocol, so URLs are not
parsed properly. This issue has been patched in version 1.19.9. Removing leading
whitespace from values before passing them to URI.parse can be used as a
workaround.

Upstream fix:
https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24723
https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f
http://www.cvedetails.com/cve/CVE-2022-24723/
https://github.com/medialize/URI.js/releases/tag/v1.19.9
https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316
https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/
Comment 1 Thomas Leroy 2022-03-04 08:43:48 UTC
We bundle a node-uri-js in some of the nodejs packages, but this module is garycourt/uri-js, and not medialize/URI.js. Therefore, I think we're not affected.
Comment 2 Thomas Leroy 2022-03-07 09:14:30 UTC
(In reply to Thomas Leroy from comment #1)
> We bundle a node-uri-js in some of the nodejs packages, but this module is
> garycourt/uri-js, and not medialize/URI.js. Therefore, I think we're not
> affected.

Can you confirm @Adam please? :)
Comment 3 Adam Majer 2022-03-07 13:27:40 UTC
Correct, this appears to be a different one. We have uri-js, not urijs :-)

I've just tested the version shipped as part of nodejs14 with the reproducer,

> > require('./dist/es5/uri.all.js').parse("\bhttp://google.com");
> {
>   scheme: 'http',
>   userinfo: undefined,
>   host: 'google.com',
>   port: undefined,
>   path: '',
>   query: undefined,
>   fragment: undefined,
>   reference: 'absolute'
> }
Comment 4 Thomas Leroy 2022-03-07 13:33:44 UTC
Great! Thank you very much Adam!
Comment 5 Thomas Leroy 2022-03-07 13:34:14 UTC
Closing