Main Vulnerability Database SB2021022236

SB2021022236 - improper input validation in URI.js

Published: February 22, 2021 Updated: August 29, 2022

Security Bulletin ID SB2021022236

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2021-27516)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of strings that contain backslash, such as "http:/", which is interpreted as as a relative path. A remote attacker can pass a malformed URI to the application and read contents local files.

Remediation

Install update from vendor's website.

References

https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839
https://github.com/medialize/URI.js/releases/tag/v1.19.6
https://advisory.checkmarx.net/advisory/CX-2021-4305