CVE-2018-12123

Name
CVE-2018-12123
Description
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
REDHAT https://access.redhat.com/errata/RHSA-2019:1821
GENTOO https://security.gentoo.org/glsa/202003-48

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 11.0.0 <= 11.3.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 10.0.0 <= 10.14.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 8.0.0 <= 8.14.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 6.0.0 <= 6.15.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status