Resolved issues
follow-redirects package before 1.15.4 are vulnerable to Improper Input ValidationVersions of the follow-redirects package before 1.15.4 are vulnerable to Improper Input Validation. This vulnerability is due to the improper handling of URLs by the url.parse() function. When a new URL returns an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
For more details, see (CVE-2023-26159).
node-semver packageVersions of the semver npm package before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). This ReDoS vulnerability comes from the new Range function, when untrusted user data is provided as a range.
For more details, see (CVE-2022-25883).
tough-cookie package before 4.1.3 are vulnerable to Prototype PollutionVersions of the tough-cookie package before 4.1.3 are vulnerable to Prototype Pollution. This vulnerability is due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
For more details, see (CVE-2023-26136).
jackson-databind before 2.15.2 are vulnerable to Denial of Service or other unspecified impactVersions of the jackson-databind library before 2.15.2 are vulnerable to Denial of Service (DoS) attacks or other unspecified impacts using a crafted object that uses cyclic dependencies.
For more details, see (CVE-2023-35116).
For a complete list of all issues resolved in this release, see the list of MTR 1.2.4 resolved issues in Jira.