---

CVE-2021-41259 - log back

CVE-2021-41259 edited at 12 Nov 2021 19:31:28
Severity	- Unknown + Low
Remote	- Unknown + Remote
Type	- Unknown + Insufficient validation
Description	+ In Nim, the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri("http://localhost\0hello").hostname is set to "localhost\0hello". Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent("http://localhost\0hello") makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a server-side request forgery (SSRF) attack.
References	+ https://github.com/nim-lang/security/security/advisories/GHSA-3gg2-rw3q-qwgc

CVE-2021-41259 created at 12 Nov 2021 19:29:49
Severity	+ Unknown
Remote	+ Unknown
Type	+ Unknown
Description
References
Notes