GHSA-gf8q-jrpm-jvxq

ADVISORY - github

Summary

Impact

The regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.

Patches

forge.util.parseUrl and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API.

Workarounds

Ensure code does not directly or indirectly call forge.util.parseUrl with untrusted input.

References

https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/

For more information

If you have any questions or comments about this advisory:

Open an issue in forge
Email us at support@digitalbazaar.com

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-601⁠

URL Redirection to Untrusted Site ('Open Redirect')

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories

GitHub

CREATED

3 years ago

UPDATED

3 years ago

ADVISORY IDGHSA-gf8q-jrpm-jvxq⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

N/Alow

GitLab

CREATED

3 years ago

UPDATED

3 years ago

ADVISORY ID

GMS-2022-67

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1035⁠CWE-937⁠

CVSS SCORE

N/Aunspecified