Insufficient Validation Affecting google-closure-library package, versions <20200315.0.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.09% (38th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-GOOGLECLOSURELIBRARY-561341
  • published 26 Mar 2020
  • disclosed 26 Mar 2020
  • credit Unknown

How to fix?

Upgrade google-closure-library to version 20200315.0.0 or higher.

Overview

google-closure-library is a powerful, low-level JavaScript library designed for building complex and scalable web applications. It is used by many Google web applications, such as Google Search, Gmail, Google Docs, Google+, Google Maps, and others.

Affected versions of this package are vulnerable to Insufficient Validation. A URL parsing issue in goog.uri of the Google Closure Library allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
6.5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

6.5 medium