Miggo Logo

CVE-2020-8910: Improper Input Validation in Google Closure Library

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.22584%
Published
5/7/2021
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
google-closure-librarynpm<= 20200224.0.020200315.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the splitRe_ regex in utils.js, which was updated in the fix to properly handle authority-terminating characters and backslashes. The commit diff shows changes to this regex and added tests for URLs like 'https://malicious.com@test.google.com', where getDomain and getPath previously returned incorrect values. Functions like getDomain and getPath directly depend on splitRe_ for parsing, making them vulnerable. The high confidence comes from the direct correlation between the regex fix, the test cases, and the CVE description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* URL p*rsin* issu* in *oo*.uri o* t** *oo*l* *losur* Li*r*ry v*rsions up to *n* in*lu*in* v******** *llows *n *tt**k*r to s*n* m*li*ious URLs to ** p*rs** *y t** li*r*ry *n* r*turn t** wron* *ut*ority. Miti**tion -- up**t* your li*r*ry to v*rsion v*

Reasoning

T** vuln*r**ility st*ms *rom t** splitR*_ r***x in utils.js, w*i** w*s up**t** in t** *ix to prop*rly **n*l* *ut*ority-t*rmin*tin* ***r**t*rs *n* ***ksl*s**s. T** *ommit *i** s*ows ***n**s to t*is r***x *n* ***** t*sts *or URLs lik* '*ttps://m*li*iou