CVE-2022-24723Improper Input Validation in Uri.js

CWE-20Improper Input ValidationCWE-1173Improper Use of Validation Framework5 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.5%
top 34.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Medialize Uri.jsUri.js Project Uri.js
Timeline
PublishedMar 3

Description

URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5medialize/uri.js< 1.19.9
NVDuri.js_project/uri.js< 1.19.9

Patches

Patch: github.comPatch: huntr.devPatch: github.com

🔴Vulnerability Details

3
OSV
Leading white space bypasses protocol validation2022-03-03
OSV
CVE-2022-24723: URI2022-03-03
GHSA
Leading white space bypasses protocol validation2022-03-03

📋Vendor Advisories

1
Red Hat
urijs: Leading white space bypasses protocol validation2022-03-03