HIGH

GHSA-g2gw-q38m-vjfc

Lokka: Azure Resource Manager URL path validation issue

상세

Lokka versions prior to 2.1.2 constructed Azure Resource Manager request URLs using direct string concatenation with user-controlled path input. Specially crafted path values could alter URL authority parsing and cause Azure Resource Manager bearer tokens to be sent to an unintended host. Version 2.1.2 fixes the issue by validating Azure paths before token acquisition and constructing Azure Resource Manager URLs with the standard URL API while preserving the expected management.azure.com host.

Reported by 정해창 <haechang__@naver.com>

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @merill/lokka

최초 영향 버전: 0 수정 버전: 2.1.2

수정 npm install @merill/lokka@2.1.2

참고

https://github.com/merill/lokka/security/advisories/GHSA-g2gw-q38m-vjfc [WEB]
https://github.com/merill/lokka [PACKAGE]