yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1927677] Re: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1927677@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Aug 2021 08:50:53 -0000
Reply-to: Bug 1927677 <1927677@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/nova/+/805654
Committed: https://opendev.org/openstack/nova/commit/6fbd0b758dcac71323f3be179b1a9d1c17a4acc5
Submitter: "Zuul (22348)"
Branch:    master

commit 6fbd0b758dcac71323f3be179b1a9d1c17a4acc5
Author: Sean Mooney <work@xxxxxxxxxxxxxxx>
Date:   Mon Aug 23 15:37:48 2021 +0100

    address open redirect with 3 forward slashes
    
    Ie36401c782f023d1d5f2623732619105dc2cfa24 was intended
    to address OSSA-2021-002 (CVE-2021-3654) however after its
    release it was discovered that the fix only worked
    for urls with 2 leading slashes or more then 4.
    
    This change adresses the missing edgecase for 3 leading slashes
    and also maintian support for rejecting 2+.
    
    Change-Id: I95f68be76330ff09e5eabb5ef8dd9a18f5547866
    co-authored-by: Matteo Pozza
    Closes-Bug: #1927677


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1927677

Title:
  [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) stein series:
  Confirmed
Status in OpenStack Compute (nova) train series:
  Confirmed
Status in OpenStack Compute (nova) ussuri series:
  Confirmed
Status in OpenStack Compute (nova) victoria series:
  Confirmed
Status in OpenStack Compute (nova) wallaby series:
  Confirmed
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  This bug report is related to Security.

  Currently novnc is allowing open direction, which could potentially be
  used for phishing attempts

  To test.
  https://<sites' vnc domain>//example.com/%2F..
  include .. at the end

  For example:
  http://vncproxy.my.domain.com//example.com/%2F..

  It will redirect to example.com. You can replace example.com with some
  legitimate domain or spoofed domain.

  The description of the risk  is
  By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
  Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions