[Git][security-tracker-team/security-tracker][master] CVE-2022-0613/node-urijs <itp> (bug #902083)
Neil Williams (@codehelp)
codehelp at debian.org
Fri Mar 4 11:21:46 GMT 2022
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2e1e68ee by Neil Williams at 2022-03-04T11:21:12+00:00
CVE-2022-0613/node-urijs <itp> (bug #902083)
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3166,7 +3166,8 @@ CVE-2022-0614 (Use of Out-of-range Pointer Offset in Homebrew mruby prior to 3.2
NOTE: https://huntr.dev/bounties/a980ce4d-c359-4425-92c4-e844c0055879
NOTE: https://github.com/mruby/mruby/commit/ff3a5ebed6ffbe3e70481531cfb969b497aa73ad
CVE-2022-0613 (Authorization Bypass Through User-Controlled Key in NPM urijs prior to ...)
- NOT-FOR-US: Node urijs
+ - node-urijs <itp> (bug #902083)
+ NOTE: https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f (v1.19.8)
CVE-2021-4220
REJECTED
CVE-2021-4219
@@ -4360,7 +4361,9 @@ CVE-2022-24725 (Shescape is a shell escape package for JavaScript. An issue in v
CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implementati ...)
TODO: check
CVE-2022-24723 (URI.js is a Javascript URL mutation library. Before version 1.19.9, wh ...)
- TODO: check
+ - node-urijs <itp> (bug #902083)
+ NOTE: https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316 (v1.19.9)
+ NOTE: https://github.com/medialize/URI.js/releases/tag/v1.19.9
CVE-2022-24722 (VIewComponent is a framework for building view components in Ruby on R ...)
NOT-FOR-US: VIewComponent
CVE-2022-24721
@@ -64726,7 +64729,9 @@ CVE-2021-27518
CVE-2021-27517 (Foxit PDF SDK For Web through 7.5.0 allows XSS. There is arbitrary Jav ...)
NOT-FOR-US: Foxit
CVE-2021-27516 (URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash ...)
- NOT-FOR-US: urijs
+ - node-urijs <itp> (bug #902083)
+ NOTE: https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839 (v1.19.6)
+ NOTE: https://github.com/medialize/URI.js/releases/tag/v1.19.6
CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash such as ht ...)
- node-url-parse 1.5.1-1 (bug #985110)
[buster] - node-url-parse <no-dsa> (Minor issue)
@@ -99294,7 +99299,9 @@ CVE-2020-26293 (HtmlSanitizer is a .NET library for cleaning HTML fragments and
CVE-2020-26292 (Creeper is an experimental dynamic, interpreted language. The binary r ...)
NOT-FOR-US: Creeper
CVE-2020-26291 (URI.js is a javascript URL mutation library (npm package urijs). In UR ...)
- NOT-FOR-US: Node urijs
+ - node-urijs <itp> (bug #902083)
+ NOTE: https://github.com/medialize/URI.js/releases/tag/v1.19.4
+ NOTE: https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155 (v1.19.4)
CVE-2020-26290 (Dex is a federated OpenID Connect provider written in Go. In Dex befor ...)
NOT-FOR-US: Dex OIDC provider (differnet from src:dex)
CVE-2020-26289 (date-and-time is an npm package for manipulating date and time. In dat ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e1e68eef32f5f9353d49e68259e521a6bf1426f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e1e68eef32f5f9353d49e68259e521a6bf1426f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220304/89628aeb/attachment.htm>
More information about the debian-security-tracker-commits
mailing list