Resolved issues

CVE-2023-26159: follow-redirects package before 1.15.4 are vulnerable to Improper Input Validation

Versions of the follow-redirects package before 1.15.4 are vulnerable to Improper Input Validation. This vulnerability is due to the improper handling of URLs by the url.parse() function. When a new URL returns an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

For more details, see (CVE-2023-26159).

CVE-2022-25883: Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the node-semver package

Versions of the semver npm package before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). This ReDoS vulnerability comes from the new Range function, when untrusted user data is provided as a range.

For more details, see (CVE-2022-25883).

CVE-2023-26136: tough-cookie package before 4.1.3 are vulnerable to Prototype Pollution

Versions of the tough-cookie package before 4.1.3 are vulnerable to Prototype Pollution. This vulnerability is due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

For more details, see (CVE-2023-26136).

CVE-2023-35116: jackson-databind before 2.15.2 are vulnerable to Denial of Service or other unspecified impact

Versions of the jackson-databind library before 2.15.2 are vulnerable to Denial of Service (DoS) attacks or other unspecified impacts using a crafted object that uses cyclic dependencies.

For more details, see (CVE-2023-35116).

For a complete list of all issues resolved in this release, see the list of MTR 1.2.4 resolved issues in Jira.