Skip to main content

Authorization Bypass Through User-Controlled Key

CVE-2022-0686

Severity High
Score 9.1/10

Summary

Authorization Bypass through User-Controlled Key in NPM url-parse prior to 1.5.8. When no port number is provided in the "url", url-parse is unable to find the correct hostname.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-639 - Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Advisory Timeline

  • Published