Detections
Analytics

Debian dla-3336 : node-url-parse - security update

critical Nessus Plugin ID 171837

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3336 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-3336-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin February 23, 2023 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : node-url-parse Version : 1.2.0-2+deb10u2 CVE ID : CVE-2021-3664 CVE-2021-27515 CVE-2022-0512 CVE-2022-0639 CVE-2022-0686 CVE-2022-0691 Debian Bug : 985110 991577

 Multiple vulnerabilities were found in node-types-url-parse, a Node.js module used to parse URLs, which may result in authorization bypass or redirection to untrusted sites.

 CVE-2021-3664

 url-parse mishandles certain uses of a single (back)slash such as https:\ & https:/ and interprets the URI as a relative path.
 Browsers accept a single backslash after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path.
 Depending on library usage, this may result in allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

 CVE-2021-27515

 Using backslash in the protocol is valid in the browser, while url-parse thinks it's a relative path. An application that validates a URL using url-parse might pass a malicious link.

 CVE-2022-0512

 Incorrect handling of username and password can lead to failure to properly identify the hostname, which in turn could result in authorization bypass.

 CVE-2022-0639

 Incorrect conversion of `@` characters in protocol in the `href` field can lead to lead to failure to properly identify the hostname, which in turn could result in authorization bypass.

 CVE-2022-0686

 Rohan Sharma reported that url-parse is unable to find the correct hostname when no port number is provided in the URL, such as in `http://example.com:`. This could in turn result in SSRF attacks, open redirects or any other vulnerability which depends on the `hostname` field of parsed URL.

 CVE-2022-0691

 url-parse is unable to find the correct hostname when the URL contains a backspace `\b` character. This tricks the parser into interpreting the URL as a relative path, bypassing all hostname checks. It can also lead to false positive in `extractProtocol()`.

 For Debian 10 buster, these problems have been fixed in version 1.2.0-2+deb10u2.

 We recommend that you upgrade your node-url-parse packages.

 For the detailed security status of node-url-parse please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/node-url-parse

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the node-url-parse packages.

See Also

http://www.nessus.org/u?082d3b19

https://security-tracker.debian.org/tracker/CVE-2021-27515

https://security-tracker.debian.org/tracker/CVE-2021-3664

https://security-tracker.debian.org/tracker/CVE-2022-0512

https://security-tracker.debian.org/tracker/CVE-2022-0639

https://security-tracker.debian.org/tracker/CVE-2022-0686

https://security-tracker.debian.org/tracker/CVE-2022-0691

https://packages.debian.org/source/buster/node-url-parse

Plugin Details

Severity: Critical

ID: 171837

File Name: debian_DLA-3336.nasl

Version: 1.2

Type: local

Agent: unix

Published: 2/23/2023

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-0691

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:node-url-parse

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/23/2023

Vulnerability Publication Date: 2/22/2021

Reference Information

CVE: CVE-2021-27515, CVE-2021-3664, CVE-2022-0512, CVE-2022-0639, CVE-2022-0686, CVE-2022-0691