rpm package
opensuse/uriparser&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/uriparser&distro=openSUSE%20Tumbleweed
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44928 | Low | 2.9 | < 1.0.2-1.1 | 1.0.2-1.1 | May 8, 2026 | In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal. | |
| CVE-2026-44927 | Low | 2.9 | < 1.0.2-1.1 | 1.0.2-1.1 | May 8, 2026 | In uriparser before 1.0.2, there is pointer difference truncation to int in various places. | |
| CVE-2026-42371 | Med | 5.1 | < 1.0.2-1.1 | 1.0.2-1.1 | Apr 27, 2026 | uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes. | |
| CVE-2025-67899 | Low | 2.9 | < 1.0.0-1.1 | 1.0.0-1.1 | Dec 14, 2025 | uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas. | |
| CVE-2024-34403 | — | < 0.9.8-1.1 | 0.9.8-1.1 | May 3, 2024 | An issue was discovered in uriparser through 0.9.7. ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a long string. | ||
| CVE-2024-34402 | — | < 0.9.8-1.1 | 0.9.8-1.1 | May 3, 2024 | An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow. | ||
| CVE-2021-46141 | — | < 0.9.6-1.1 | 0.9.6-1.1 | Jan 6, 2022 | An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner. | ||
| CVE-2021-46142 | — | < 0.9.6-1.1 | 0.9.6-1.1 | Jan 6, 2022 | An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax. | ||
| CVE-2018-20721 | — | < 0.9.5-1.2 | 0.9.5-1.2 | Jan 16, 2019 | URI_FUNC() in UriParse.c in uriparser before 0.9.1 has an out-of-bounds read (in uriParse*Ex* functions) for an incomplete URI with an IPv6 address containing an embedded IPv4 address, such as a "//[::44.1" address. | ||
| CVE-2018-19200 | — | < 0.9.5-1.2 | 0.9.5-1.2 | Nov 12, 2018 | An issue was discovered in uriparser before 0.9.0. UriCommon.c allows attempted operations on NULL input via a uriResetUri* function. | ||
| CVE-2018-19199 | — | < 0.9.5-1.2 | 0.9.5-1.2 | Nov 12, 2018 | An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an integer overflow via a uriComposeQuery* or uriComposeQueryEx* function because of an unchecked multiplication. | ||
| CVE-2018-19198 | — | < 0.9.5-1.2 | 0.9.5-1.2 | Nov 12, 2018 | An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx* function because the '&' character is mishandled in certain contexts. |
- affected < 1.0.2-1.1fixed 1.0.2-1.1
In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.
- affected < 1.0.2-1.1fixed 1.0.2-1.1
In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
- affected < 1.0.2-1.1fixed 1.0.2-1.1
uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.
- affected < 1.0.0-1.1fixed 1.0.0-1.1
uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.
- CVE-2024-34403May 3, 2024affected < 0.9.8-1.1fixed 0.9.8-1.1
An issue was discovered in uriparser through 0.9.7. ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a long string.
- CVE-2024-34402May 3, 2024affected < 0.9.8-1.1fixed 0.9.8-1.1
An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow.
- CVE-2021-46141Jan 6, 2022affected < 0.9.6-1.1fixed 0.9.6-1.1
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.
- CVE-2021-46142Jan 6, 2022affected < 0.9.6-1.1fixed 0.9.6-1.1
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.
- CVE-2018-20721Jan 16, 2019affected < 0.9.5-1.2fixed 0.9.5-1.2
URI_FUNC() in UriParse.c in uriparser before 0.9.1 has an out-of-bounds read (in uriParse*Ex* functions) for an incomplete URI with an IPv6 address containing an embedded IPv4 address, such as a "//[::44.1" address.
- CVE-2018-19200Nov 12, 2018affected < 0.9.5-1.2fixed 0.9.5-1.2
An issue was discovered in uriparser before 0.9.0. UriCommon.c allows attempted operations on NULL input via a uriResetUri* function.
- CVE-2018-19199Nov 12, 2018affected < 0.9.5-1.2fixed 0.9.5-1.2
An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an integer overflow via a uriComposeQuery* or uriComposeQueryEx* function because of an unchecked multiplication.
- CVE-2018-19198Nov 12, 2018affected < 0.9.5-1.2fixed 0.9.5-1.2
An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx* function because the '&' character is mishandled in certain contexts.