CVE-2021-33502 (High) detected in normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz
mend-for-github-com opened this issue · comments
CVE-2021-33502 - High Severity Vulnerability
Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz
normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /tmp/ws-scm/cosmos-ui/package.json
Path to vulnerable library: /tmp/ws-scm/cosmos-ui/node_modules/normalize-url
Dependency Hierarchy:
- webpacker-4.3.0.tgz (Root Library)
- mini-css-extract-plugin-0.8.2.tgz
- ❌ normalize-url-1.9.1.tgz (Vulnerable Library)
- mini-css-extract-plugin-0.8.2.tgz
normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /tmp/ws-scm/cosmos-ui/package.json
Path to vulnerable library: /tmp/ws-scm/cosmos-ui/node_modules/normalize-url
Dependency Hierarchy:
- webpacker-4.3.0.tgz (Root Library)
- optimize-css-assets-webpack-plugin-5.0.4.tgz
- cssnano-4.1.10.tgz
- cssnano-preset-default-4.0.7.tgz
- postcss-normalize-url-4.0.1.tgz
- ❌ normalize-url-3.3.0.tgz (Vulnerable Library)
- postcss-normalize-url-4.0.1.tgz
- cssnano-preset-default-4.0.7.tgz
- cssnano-4.1.10.tgz
- optimize-css-assets-webpack-plugin-5.0.4.tgz
Found in base branch: develop
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.