Skip to content

Commit

Permalink
[security] Add credits for CVE-2022-0691
Browse files Browse the repository at this point in the history
  • Loading branch information
@lpinca
lpinca committed Feb 20, 2022
1 parent ad23357 commit d547792
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,18 @@ acknowledge your responsible disclosure, if you wish.

## History

> Leading control characters are not removed. This allows an attacker to bypass
> hostname checks and makes the `extractProtocol` method return false positives.
- **Reporter credits**

This comment has been minimized.

Sign in to view

Copy link
@terapi09

terapi09 Mar 12, 2022

İyi fikir
- Haxatron
- GitHub: [@haxatron](https://github.com/haxatron)
- Twitter: [@haxatron1](https://twitter.com/haxatron1)
- Huntr report: https://www.huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4/
- Fixed in: 1.5.9

---

> A URL with a specified but empty port can be used to bypass authorization
> checks.
Expand Down

0 comments on commit d547792

Please sign in to comment.