ByteOS Network

NVD Vulnerability Details :

CVE-2021-22964

Analyzed

Source-support@hackerone.com

Published At-14 Oct, 2021 | 15:15

Updated At-20 Oct, 2021 | 18:02

A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e`.A DOS vulnerability is possible if the URL contains invalid characters `curl --path-as-is "http://localhost:3000//^/.."`The issue shows up on all the `fastify-static` applications that set `redirect: true` option. By default, it is `false`.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
Primary	2.0	6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P

Type: Primary

Version: 3.1

Base score: 8.8

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H

Type: Primary

Version: 2.0

Base score: 6.8

Base severity: MEDIUM

Vector:

AV:N/AC:M/Au:N/C:P/I:P/A:P

CPE Matches

fastify>>fastify-static>>Versions from 4.2.4(inclusive) to 4.4.1(exclusive)

cpe:2.3:a:fastify:fastify-static:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-601	Primary	nvd@nist.gov
CWE-400	Secondary	support@hackerone.com

CWE ID: CWE-601

Type: Primary

Source: nvd@nist.gov

CWE ID: CWE-400

Type: Secondary

Source: support@hackerone.com

References

Hyperlink	Source	Resource
https://hackerone.com/reports/1361804	support@hackerone.com	Exploit Issue Tracking Patch Third Party Advisory

Hyperlink: https://hackerone.com/reports/1361804

Source: support@hackerone.com

Resource:

Exploit

Issue Tracking

Patch

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History