From 08f2c78ccf3688ad2ed44d0c2239742ea1693cdb Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Tue, 27 Jul 2021 17:44:41 +0000
Subject: [PATCH] Add OSSA-2021-002 (CVE-2021-3654)

Change-Id: I1574738a9aa047314c9b933f8bbe032d346cd2d7
Closes-Bug: #1927677
---
 ossa/OSSA-2021-002.yaml | 62 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 ossa/OSSA-2021-002.yaml

diff --git a/ossa/OSSA-2021-002.yaml b/ossa/OSSA-2021-002.yaml
new file mode 100644
index 0000000..994aa9e
--- /dev/null
+++ b/ossa/OSSA-2021-002.yaml
@@ -0,0 +1,62 @@
+date: 2021-07-29
+
+id: OSSA-2021-002
+
+title: Open Redirect in noVNC proxy
+
+description: >
+  Swe Aung, Shahaan Ayyub, and Salman Khan with the Monash University Cyber
+  Security team reported a vulnerability affecting Nova's noVNC proxying
+  implementation which exposed access to a well-known redirect behavior in the
+  Python standard library's http.server.SimpleHTTPRequestHandler and thus
+  noVNC's WebSockifyRequestHandler which uses it. By convincing a user to
+  follow a specially-crafted novncproxy URL, the user could be redirected to an
+  unrelated site under control of the attacker in an attempt to convince them
+  to divulge credentials or other sensitive data. All Nova deployments with
+  novncproxy enabled are affected.
+
+affected-products:
+  - product: Nova
+    version: '<21.2.3, >=22.0.0 <22.2.3, >=23.0.0 <23.0.2'
+
+vulnerabilities:
+  - cve-id: CVE-2021-3654
+
+reporters:
+  - name: Swe Aung
+    affiliation: Monash University Cyber Security team
+    reported:
+      - CVE-2021-3654
+  - name: Shahaan Ayyub
+    affiliation: Monash University Cyber Security team
+    reported:
+      - CVE-2021-3654
+  - name: Salman Khan
+    affiliation: Monash University Cyber Security team
+    reported:
+      - CVE-2021-3654
+
+issues:
+  links:
+    - https://launchpad.net/bugs/1927677
+    - https://bugs.python.org/issue32084
+
+reviews:
+  xena:
+    - https://review.opendev.org/791297
+
+  wallaby:
+    - https://review.opendev.org/791577
+
+  victoria:
+    - https://review.opendev.org/791805
+
+  ussuri:
+    - https://review.opendev.org/791806
+
+  train:
+    - https://review.opendev.org/791807
+
+notes:
+  - The stable/train branch is under extended maintenance and will receive no
+    new point releases, but a patch for it is provided as a courtesy.