CVE-2018-12123 Information
Description
Node.js: All versions prior to Node.js 6.15.0 8.14.0 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname that hostname can be spoofed by using a mixed case \javascript:\ (e.g. \javAscript:) protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname they may be incorrect.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Reference
https://access.redhat.com/errata/RHSA-2019:1821
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
https://security.gentoo.org/glsa/202003-48
Node.js:
All
versions
prior
to
Node.js
6.15.0
8.14.0
10.14.0
and
11.3.0:
Hostname
spoofing
in
URL
parser
for
javascript
protocol:
If
a
Node.js
application
is
using
url.parse()
to
determine
the
URL
hostname
that
hostname
can
be
spoofed
by
using
a
mixed
case
\javascript:
(e.g.
\javAscript:)
protocol
(other
protocols
are
not
affected).
If
security
decisions
are
made
about
the
URL
based
on
the
hostname
they
may
be
incorrect.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
LOW
Base Score
NONE
Base Severity
4.3
Share on: