#VU67937 Information disclosure in parse-url - CVE-2022-0722

Cybersecurity Help s.r.o.

Published: 2022-10-05

Vulnerability identifier: #VU67937

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-0722

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
parse-url
Web applications / JS libraries

Vendor: IonicaBizau

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to cookies from another domain.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

parse-url: 3.0.0 - 6.0.5

External links
http://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3
http://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Business Automation Manager Open Editions

Multiple vulnerabilities in Red Hat Process Automation Manager

Multiple vulnerabilities in IonicaBizau parse-url for Node.js