CVE-2018-12123
Published: 28 November 2018
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
From the Ubuntu Security Team
Martin Bajanik discovered that the url.parse() method would return incorrect results if it received specially crafted input. An attacker could use this vulnerability to spoof the hostname and bypass hostname-specific security controls.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
nodejs Launchpad, Ubuntu, Debian |
bionic |
Released
(8.10.0~dfsg-2ubuntu0.4+esm1)
Available with Ubuntu Pro |
| cosmic |
Ignored
(end of life)
|
|
| disco |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| eoan |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| focal |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| groovy |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| hirsute |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| impish |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| jammy |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| kinetic |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| lunar |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| mantic |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| noble |
Not vulnerable
(10.15.1~dfsg-5)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(8.14.0, 10.14.0)
|
|
| xenial |
Needed
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |