{
  "threat_severity" : "Moderate",
  "public_date" : "2022-03-03T00:00:00Z",
  "bugzilla" : {
    "description" : "urijs: Leading white space bypasses protocol validation",
    "id" : "2062370",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2062370"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-1173",
  "details" : [ "URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.", "An improper input validation flaw was found in urijs where white space characters are not removed from the beginning of an URL. This issue allows bypassing the protocol validation." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.11.1",
    "release_date" : "2022-11-28T00:00:00Z",
    "advisory" : "RHSA-2022:8652",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "urijs"
  } ],
  "package_state" : [ {
    "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux",
    "fix_state" : "Affected",
    "package_name" : "rh-dotnet31-dotnet",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1"
  }, {
    "product_name" : ".NET Core 5.0 on Red Hat Enterprise Linux",
    "fix_state" : "Out of support scope",
    "package_name" : "rh-dotnet50-dotnet",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:5.0"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/application-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/mcm-topology-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "dotnet3.1",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "dotnet5.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Will not fix",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-24723\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24723" ],
  "name" : "CVE-2022-24723",
  "csaw" : false
}