Vulnerability CVE-2018-12123: Information

Description

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-12123
Published: Nov. 28, 2018
Modified: Sept. 6, 2022
Error type identifier: CWE-20

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
nodesisyphus10.14.1-alt120.12.2-alt1ALT-PU-2018-2749-1217108Fixed
nodep1010.14.1-alt116.19.1-alt1ALT-PU-2018-2749-1217108Fixed
nodep910.14.1-alt114.17.2-alt1ALT-PU-2018-2749-1217108Fixed
nodec10f110.14.1-alt116.19.1-alt1ALT-PU-2018-2749-1217108Fixed
nodec9f210.14.1-alt116.19.1-alt0.c9.1ALT-PU-2018-2749-1217108Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
  • Patch
  • Vendor Advisory
RHSA-2019:1821
  • Third Party Advisory
GLSA-202003-48
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
      Start including
      11.0.0
      End excliding
      11.3.0
      cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
      Start including
      10.0.0
      End excliding
      10.14.0
      cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
      Start including
      8.0.0
      End excliding
      8.14.0
      cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
      Start including
      6.0.0
      End excliding
      6.15.0
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.1
Back to top