Main Vulnerability Database Vulnerabilities #VU66816

Input validation error in urijs - CVE-2021-27516

Published: August 29, 2022

Vulnerability identifier: #VU66816

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-27516

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
urijs

Software vendor:
True Push

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of strings that contain backslash, such as "http:/", which is interpreted as as a relative path. A remote attacker can pass a malformed URI to the application and read contents local files.

Remediation

Install updates from vendor's website.

External links

https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839
https://github.com/medialize/URI.js/releases/tag/v1.19.6
https://advisory.checkmarx.net/advisory/CX-2021-4305

Input validation error in urijs - CVE-2021-27516

Description

Remediation

External links

Please verify you're human