CVE-2018-12123

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

History

06 Sep 2022, 17:56

Type Values Removed Values Added
References (GENTOO) https://security.gentoo.org/glsa/202003-48 - (GENTOO) https://security.gentoo.org/glsa/202003-48 - Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2019:1821 - (REDHAT) https://access.redhat.com/errata/RHSA-2019:1821 - Third Party Advisory
CPE cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

Information

Published : 2018-11-28 17:29

Updated : 2023-12-10 12:44


NVD link : CVE-2018-12123

Mitre link : CVE-2018-12123

CVE.ORG link : CVE-2018-12123


JSON object : View

Products Affected

nodejs

  • node.js
CWE
CWE-20

Improper Input Validation

CWE-115

Misinterpretation of Input