安全速报
【高危】Lokka: Azure Resource Manager URL path validation issue
安全速报 · 严重级:高危 · GHSA-g2gw-q38m-vjfc
漏洞概要
Lokka versions prior to 2.1.2 constructed Azure Resource Manager request URLs using direct string concatenation with user-controlled path input. Specially crafted path values could alter URL authority parsing and cause Azure Resource Manager bearer tokens to be sent to an unintended host. Version 2.1.2 fixes the issue by validating Azure paths before token acquisition and constructing Azure Resource Manager URLs with the standard URL API while preserving the expected management.azure.com host.
Reported by 정해창 haechang__@naver.com
受影响组件
| 生态 | 组件 | 受影响版本 | 修复版本 |
|---|---|---|---|
| npm | @merill/lokka |
< 2.1.2 | 2.1.2 |
修复建议
升级 @merill/lokka 至 2.1.2 或更高版本。
参考链接
- GitHub Advisory GHSA-g2gw-q38m-vjfc
- https://github.com/merill/lokka/security/advisories/GHSA-g2gw-q38m-vjfc
本文基于 GitHub Advisory Database(CC-BY-4.0 授权)整理,数据来源已注明。
© 版权声明:本文系作者「system」原创/整理,内容仅供安全研究与学习,未经允许请勿转载。
评论
登录 后参与讨论。
还没有评论,来说两句。