78 lines
2.3 KiB
YAML
78 lines
2.3 KiB
YAML
date: 2021-07-29
|
|
|
|
id: OSSA-2021-002
|
|
|
|
title: Open Redirect in noVNC proxy
|
|
|
|
description: >
|
|
Swe Aung, Shahaan Ayyub, and Salman Khan with the Monash University Cyber
|
|
Security team reported a vulnerability affecting Nova's noVNC proxying
|
|
implementation which exposed access to a well-known redirect behavior in the
|
|
Python standard library's http.server.SimpleHTTPRequestHandler and thus
|
|
noVNC's WebSockifyRequestHandler which uses it. By convincing a user to
|
|
follow a specially-crafted novncproxy URL, the user could be redirected to an
|
|
unrelated site under control of the attacker in an attempt to convince them
|
|
to divulge credentials or other sensitive data. All Nova deployments with
|
|
novncproxy enabled are affected.
|
|
|
|
errata: >
|
|
The initial fix did not take into account the possibility of bypass using
|
|
exactly three slashes. This update provides a more thorough revised fix for
|
|
the issue. The affected versions list has been updated to indicate versions
|
|
expected to include the newer solution.
|
|
|
|
affected-products:
|
|
- product: Nova
|
|
version: '<21.2.3, >=22.0.0 <22.2.3, >=23.0.0 <23.0.3'
|
|
|
|
vulnerabilities:
|
|
- cve-id: CVE-2021-3654
|
|
|
|
reporters:
|
|
- name: Swe Aung
|
|
affiliation: Monash University Cyber Security team
|
|
reported:
|
|
- CVE-2021-3654
|
|
- name: Shahaan Ayyub
|
|
affiliation: Monash University Cyber Security team
|
|
reported:
|
|
- CVE-2021-3654
|
|
- name: Salman Khan
|
|
affiliation: Monash University Cyber Security team
|
|
reported:
|
|
- CVE-2021-3654
|
|
|
|
issues:
|
|
links:
|
|
- https://launchpad.net/bugs/1927677
|
|
- https://bugs.python.org/issue32084
|
|
|
|
reviews:
|
|
xena:
|
|
- https://review.opendev.org/791297
|
|
- https://review.opendev.org/805654 (errata 1)
|
|
|
|
wallaby:
|
|
- https://review.opendev.org/791577
|
|
- https://review.opendev.org/805818 (errata 1)
|
|
|
|
victoria:
|
|
- https://review.opendev.org/791805
|
|
- https://review.opendev.org/806626 (errata 1)
|
|
|
|
ussuri:
|
|
- https://review.opendev.org/791806
|
|
- https://review.opendev.org/806628 (errata 1)
|
|
|
|
train:
|
|
- https://review.opendev.org/791807
|
|
- https://review.opendev.org/806629 (errata 1)
|
|
|
|
notes:
|
|
- The stable/train branch is under extended maintenance and will receive no
|
|
new point releases, but a patch for it is provided as a courtesy.
|
|
|
|
errata_history:
|
|
- 2021-09-27 - Errata 1
|
|
- 2021-07-29 - Original Version
|