CVE-2021-27515: Input Validation
First published: Sun Feb 21 2021(Updated: )
An input validation flaw exists in the node.js-url-parse, which results in the URL being incorrectly set to the document location protocol instead of the URL being passed as an argument. This flaw allows an attacker to bypass security checks on URLs. The highest threat from this vulnerability is to integrity. This is an incomplete fix for CVE-2020-8124.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Url-parse Project Url-parse | <1.5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://advisory.checkmarx.net/advisory/CX-2021-4306
- https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0
- https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0
- https://github.com/unshiftio/url-parse/pull/197
- https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html
- https://access.redhat.com/errata/RHSA-2021:3917
- https://access.redhat.com/security/cve/cve-2021-27515
- https://bugzilla.redhat.com/show_bug.cgi?id=1934474
- https://www.cve.org/CVERecord?id=CVE-2021-27515 https://nvd.nist.gov/vuln/detail/CVE-2021-27515
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-27515.
What is the severity of CVE-2021-27515?
The severity of CVE-2021-27515 is medium with a CVSS score of 5.3.
Which software is affected by CVE-2021-27515?
The url-parse package before version 1.5.0 is affected by CVE-2021-27515.
How does CVE-2021-27515 affect security?
CVE-2021-27515 allows an attacker to bypass security checks on URLs.
How can I fix CVE-2021-27515?
To fix CVE-2021-27515, upgrade to version 1.5.0 of the url-parse package.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/references
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-27515
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/url-parse project
- canonical/url-parse project url-parse
- package-manager/redhat