{"containers": {"cna": {"affected": [{"product": "url-parse", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed Version 1.4.5"}]}], "descriptions": [{"lang": "en", "value": "Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation (CWE-20)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-04T19:08:56", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/496293"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8124", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "url-parse", "version": {"version_data": [{"version_value": "Fixed Version 1.4.5"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Input Validation (CWE-20)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/496293", "refsource": "MISC", "url": "https://hackerone.com/reports/496293"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:25.621Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/496293"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8124", "datePublished": "2020-02-04T19:08:56", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2024-08-04T09:48:25.621Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:url-parse_project:url-parse:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C15470F5-813D-47FA-B8C8-B1B97E2BF5DA", "versionEndIncluding": "1.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks."}, {"lang": "es", "value": "Se presenta una comprobaci\u00f3n y saneamiento insuficiente de la entrada del usuario en el paquete url-parse npm versi\u00f3n 1.4.4 y anteriores, puede permitir a un atacante omitir las comprobaciones de seguridad."}], "id": "CVE-2020-8124", "lastModified": "2020-02-18T15:59:43.253", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-04T20:15:14.543", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/496293"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:0972", "cpe": "cpe:/a:redhat:service_mesh:1.0::el7", "package": "jaeger-0:v1.13.1.redhat6-1.el7", "product_name": "Openshift Service Mesh 1.0", "release_date": "2020-03-25T00:00:00Z"}, {"advisory": "RHSA-2020:0972", "cpe": "cpe:/a:redhat:service_mesh:1.0::el7", "package": "kiali-0:v1.0.10.redhat1-1.el7", "product_name": "Openshift Service Mesh 1.0", "release_date": "2020-03-25T00:00:00Z"}], "bugzilla": {"description": "npmjs-url-parse: Improper validation of protocol of the returned URL", "id": "1800774", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1800774"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.", "An input validation flaw exists in the node.js-url-parse, which results in the URL being incorrectly set to the document location protocol instead of the URL being passed as an argument. An attacker could use this flaw to bypass security checks on URLs."], "name": "CVE-2020-8124", "package_state": [{"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Will not fix", "package_name": "jaeger", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "nodejs-url-parse", "product_name": "Red Hat Quay 3"}], "public_date": "2020-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8124\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8124"], "threat_severity": "Moderate", "upstream_fix": "nodejs-url-parse 1.4.5"}