CVE - CVE-2020-26291

CVE-ID
CVE-2020-26291	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg URL:https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg MISC:https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155 URL:https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155 MISC:https://github.com/medialize/URI.js/releases/tag/v1.19.4 URL:https://github.com/medialize/URI.js/releases/tag/v1.19.4 MISC:https://www.npmjs.com/package/urijs URL:https://www.npmjs.com/package/urijs
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20201001	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20201001)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)