CVE-2022-0613: Authorization Bypass Through User-Controlled Key in medialize/uri.js
First published: Wed Feb 16 2022(Updated: )
A flaw was found in urijs due to the fix of CVE-2021-3647 not considering case-sensitive protocol schemes in the URL. This issue allows attackers to bypass the patch.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/urijs | <1.19.8 | 1.19.8 |
| redhat/rh-dotnet31-dotnet | <0:3.1.418-1.el7_9 | 0:3.1.418-1.el7_9 |
| redhat/dotnet3.1 | <0:3.1.418-1.el8_5 | 0:3.1.418-1.el8_5 |
| Uri.js Project Uri.js | <1.19.8 | |
| Fedoraproject Fedora | =35 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-0613 https://nvd.nist.gov/vuln/detail/CVE-2022-0613
- https://bugzilla.redhat.com/show_bug.cgi?id=2055496
- https://access.redhat.com/errata/RHBA-2022:1352
- https://access.redhat.com/errata/RHSA-2022:1715
- https://access.redhat.com/errata/RHBA-2022:1386
- https://access.redhat.com/errata/RHSA-2022:8652
- https://access.redhat.com/security/cve/cve-2022-0613
- https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f
- https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2055545
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2055544
- https://github.com/RedHatInsights/insights-remediations/blob/master/package-lock.json
- https://github.com/RedHatInsights/insights-remediations-frontend/blob/master/package-lock.json
- https://github.com/RedHatInsights/insights-advisor-frontend/blob/production/package-lock.json
- https://github.com/RedHatInsights/compliance-frontend/blob/master/package-lock.json
- https://access.redhat.com/errata/RHSA-2022:1681
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-0613?
CVE-2022-0613 is a vulnerability that allows attackers to bypass the patch in urijs prior to version 1.19.8.
What is the severity of CVE-2022-0613?
CVE-2022-0613 has a severity keyword of medium and a severity value of 6.5.
How can I fix CVE-2022-0613?
To fix CVE-2022-0613, update to version 1.19.8 or higher of urijs.
Where can I find more information about CVE-2022-0613?
You can find more information about CVE-2022-0613 at the following references: <ul><li><a href='https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083'>https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083</a></li><li><a href='https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f'>https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f</a></li><li><a href='https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2055545'>https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2055545</a></li></ul>
What is the affected software for CVE-2022-0613?
The affected software for CVE-2022-0613 includes urijs prior to version 1.19.8, rh-dotnet31-dotnet version up to exclusive 0:3.1.418-1.el7_9, and dotnet3.1 version up to exclusive 0:3.1.418-1.el8_5.
- collector/redhat-cve
- collector/nvd-index
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- agent/weakness
- agent/type
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-0613
- agent/software-canonical-lookup
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/title
- agent/tags
- agent/event
- package-manager/redhat
- vendor/uri.js project
- canonical/uri.js project uri.js
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35