CVE Vulnerability

CVE-2018-3774

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

7.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

10 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://hackerone.com/reports/384029 Issue Tracking Third Party Advisory
https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de Vendor Advisory
https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a Vendor Advisory
Configurations

Configuration 1

cpe:2.3:o:url-parse_project:url-parse:*:*:*:*:*:*:*:*
Information

Published : 2018-08-12 10:29

Updated : 2019-10-09 11:40

NVD link : CVE-2018-3774

Mitre link : CVE-2018-3774

Products Affected
No products.
CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

CWE-918

Server-Side Request Forgery (SSRF)