CVE-2022-0686
Authorization Bypass vulnerability in url-parse (npm)
What is CVE-2022-0686 About?
url-parse prior to version 1.5.8 is vulnerable to Authorization Bypass Through User-Controlled Key. This allows an attacker to manipulate authentication or access control mechanisms. Exploitation requires specific knowledge of how the key is used in authorization.
Affected Software
Technical Details
The vulnerability in url-parse prior to version 1.5.8 is an 'Authorization Bypass Through User-Controlled Key'. This implies that a component or function within url-parse uses a 'key' (likely part of a URL, query parameter, or header derived from URL parsing) in an authorization decision. The flaw is that an attacker can manipulate this key through user-controlled input. By crafting a specific URL, the attacker can modify the key's value, which then bypasses the intended authorization checks. This bypass can grant unauthorized access to resources or functionality that should otherwise be protected. The attack vector involves submitting a specially crafted URL that leverages this key manipulation capability.
What is the Impact of CVE-2022-0686?
Successful exploitation may allow attackers to bypass authentication or authorization checks, gaining unauthorized access to sensitive information or restricted functionalities.
What is the Exploitability of CVE-2022-0686?
Exploitation complexity is likely moderate, as it requires an understanding of how the 'key' is used in authorization decisions within the application using url-parse. An attacker needs to be able to supply a crafted URL. There are no explicit authentication or privilege requirements stated, implying that an unauthenticated remote attacker could potentially exploit this if the url-parse component processes user-controlled URLs in an exposed manner. The exploit is remote by nature, as it involves URL manipulation. Special conditions include the application relying on the outcome of url-parse's key interpretation for authorization, and the attacker being able to provide arbitrary URL input. Risk factors increase if the application directly constructs or parses URLs based on untrusted input for sensitive operations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0686?
About the Fix from Resolved Security
The patch updates the port parsing regular expression to allow empty ports and ensures that, when reconstructing URLs, a trailing colon in the host is preserved. This prevents the parser from incorrectly transforming invalid URLs (such as those with an empty port) into valid ones, addressing the issue in CVE-2022-0686 where improper handling could lead to URL spoofing or ambiguous URL results.
Available Upgrade Options
- url-parse
- <1.5.8 → Upgrade to 1.5.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
- https://nvd.nist.gov/vuln/detail/CVE-2022-0686
- https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5
- https://osv.dev/vulnerability/GHSA-hgjh-723h-mx2j
- https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
- https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5
- https://security.netapp.com/advisory/ntap-20220325-0006/
- https://github.com/unshiftio/url-parse
- https://security.netapp.com/advisory/ntap-20220325-0006
What are Similar Vulnerabilities to CVE-2022-0686?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2023-43177 , CVE-2023-40134 , CVE-2023-38144 , CVE-2023-38035
