cnvd - cnvd-2020-24030

CNVD-2020-24030

Vulnerability from cnvd - Published: 2020-04-21

Title

Google Closure Library输入验证错误漏洞

Description

Google Closure Library是美国谷歌（Google）的一款跨浏览器的、模块化的JavaScript库。 Google Closure Library v20200224及之前版本中goog.uri文件存在安全漏洞。攻击者可通过发送恶意的URLs利用该漏洞获取非法授权。

Severity

高

Patch Name

Google Closure Library输入验证错误漏洞的补丁

Patch Description

Google Closure Library是美国谷歌（Google）的一款跨浏览器的、模块化的JavaScript库。 Google Closure Library v20200224及之前版本中goog.uri文件存在安全漏洞。攻击者可通过发送恶意的URLs利用该漏洞获取非法授权。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/google/closure-library/releases/tag/v20200315

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-8910

Impacted products

Name
Google Closure Library <=v20200224

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-8910"
    }
  },
  "description": "Google Closure Library\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u7684\u4e00\u6b3e\u8de8\u6d4f\u89c8\u5668\u7684\u3001\u6a21\u5757\u5316\u7684JavaScript\u5e93\u3002\n\nGoogle Closure Library v20200224\u53ca\u4e4b\u524d\u7248\u672c\u4e2dgoog.uri\u6587\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u6076\u610f\u7684URLs\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u975e\u6cd5\u6388\u6743\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/google/closure-library/releases/tag/v20200315",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-24030",
  "openTime": "2020-04-21",
  "patchDescription": "Google Closure Library\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u7684\u4e00\u6b3e\u8de8\u6d4f\u89c8\u5668\u7684\u3001\u6a21\u5757\u5316\u7684JavaScript\u5e93\u3002\r\n\r\nGoogle Closure Library v20200224\u53ca\u4e4b\u524d\u7248\u672c\u4e2dgoog.uri\u6587\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u6076\u610f\u7684URLs\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u975e\u6cd5\u6388\u6743\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Google Closure Library\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Google Closure Library \u003c=v20200224"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-8910",
  "serverity": "\u9ad8",
  "submitTime": "2020-03-27",
  "title": "Google Closure Library\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2020-8910 (GCVE-0-2020-8910)

Vulnerability from cvelistv5 – Published: 2020-03-26 11:38 – Updated: 2024-08-04 10:12

Summary

A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation: update your library to version v20200315.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-625 - cwe-625
Bad URL parsing

Assigner

Google

References

URL

Tags

	https://github.com/google/closure-library/commit/…	x_refsource_CONFIRM
	https://github.com/google/closure-library/release…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Google	Closure-Library	Affected: v20200224 , ≤ v20200224 (custom)

Credits

David Schütz François Lajeunesse-Robert

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:12:10.953Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/google/closure-library/commit/294fc00b01d248419d8f8de37580adf2a0024fc9"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/google/closure-library/releases/tag/v20200315"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Closure-Library",
          "vendor": "Google",
          "versions": [
            {
              "lessThanOrEqual": "v20200224",
              "status": "affected",
              "version": "v20200224",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "David Sch\u00fctz"
        },
        {
          "lang": "en",
          "value": "Fran\u00e7ois Lajeunesse-Robert"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation: update your library to version v20200315."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-625",
              "description": "cwe-625",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "description": "Bad URL parsing",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-26T11:38:26",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/google/closure-library/commit/294fc00b01d248419d8f8de37580adf2a0024fc9"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/google/closure-library/releases/tag/v20200315"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Auth Bypass in Google\u0027s Closure-Library",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@google.com",
          "ID": "CVE-2020-8910",
          "STATE": "PUBLIC",
          "TITLE": "Auth Bypass in Google\u0027s Closure-Library"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Closure-Library",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "v20200224",
                            "version_value": "v20200224"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Google"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "David Sch\u00fctz"
          },
          {
            "lang": "eng",
            "value": "Fran\u00e7ois Lajeunesse-Robert"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation: update your library to version v20200315."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "cwe-625"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Bad URL parsing"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/google/closure-library/commit/294fc00b01d248419d8f8de37580adf2a0024fc9",
              "refsource": "CONFIRM",
              "url": "https://github.com/google/closure-library/commit/294fc00b01d248419d8f8de37580adf2a0024fc9"
            },
            {
              "name": "https://github.com/google/closure-library/releases/tag/v20200315",
              "refsource": "CONFIRM",
              "url": "https://github.com/google/closure-library/releases/tag/v20200315"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2020-8910",
    "datePublished": "2020-03-26T11:38:26",
    "dateReserved": "2020-02-12T00:00:00",
    "dateUpdated": "2024-08-04T10:12:10.953Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-24030

CVE-2020-8910 (GCVE-0-2020-8910)

Tags

Sightings

Nomenclature