GSD-2022-1002527

Source
https://data.gsd.id/GSD-2022-1002527
Import Source
https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1002xxx/GSD-2022-1002527.json
JSON Data
https://api.osv.dev/v1/vulns/GSD-2022-1002527
Withdrawn
2023-03-14T07:01:09.293526Z
Published
2022-07-02T01:38:25.507792Z
Modified
2023-03-14T07:01:09.293526Z
Summary
improperly formatted security headers in URL redirection version all as of 2022-07-07
Details

In bl.ink URL redirection service, as of 2022-07-07 an improperly formatted security header exists in the HSTS support, specifically the header served is "strict-transport-security: max-age=63072000; includeSubdomains;" which contains an extra semicolon (the final one is not needed), this may result in some client ignoring the HSTS header and thus rendering this security protection ineffective. As of 2022-07-08 this issue was corrected with the headers now displaying " strict-transport-security: max-age=63072000; includeSubdomains; preload"

References

Affected packages