Vulnerability CVE-2018-12123: Information
Description
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
node | sisyphus | 10.14.1-alt1 | 20.12.2-alt1 | ALT-PU-2018-2749-1 | 217108 | Fixed |
node | p10 | 10.14.1-alt1 | 16.19.1-alt1 | ALT-PU-2018-2749-1 | 217108 | Fixed |
node | p9 | 10.14.1-alt1 | 14.17.2-alt1 | ALT-PU-2018-2749-1 | 217108 | Fixed |
node | c10f1 | 10.14.1-alt1 | 16.19.1-alt1 | ALT-PU-2018-2749-1 | 217108 | Fixed |
node | c9f2 | 10.14.1-alt1 | 16.19.1-alt0.c9.1 | ALT-PU-2018-2749-1 | 217108 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ |
|
RHSA-2019:1821 |
|
GLSA-202003-48 |
|