CVE-2021-41259 - log back

CVE-2021-41259 edited at 12 Nov 2021 19:31:28
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Insufficient validation
Description
+ In Nim, the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri("http://localhost\0hello").hostname is set to "localhost\0hello". Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent("http://localhost\0hello") makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a server-side request forgery (SSRF) attack.
References
+ https://github.com/nim-lang/security/security/advisories/GHSA-3gg2-rw3q-qwgc
CVE-2021-41259 created at 12 Nov 2021 19:29:49
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes