Описание
macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL.
A flaw was found in macaron. Path URLs aren't cleaned before being redirected creating an open redirect in the static handler.
Отчет
This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release. Red Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | grafana | Out of support scope | ||
| Red Hat Ceph Storage 3 | grafana | Affected | ||
| Red Hat Ceph Storage 3 | grafana-container | Affected | ||
| Red Hat Ceph Storage 4 | rhceph/rhceph-4-dashboard-rhel8 | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/grafana | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-grafana | Fix deferred | ||
| Red Hat Storage 3 | grafana | Affected | ||
| Openshift Service Mesh 1.1 | kiali | Fixed | RHSA-2020:3369 | 06.08.2020 |
| OpenShift Service Mesh 1.1 | ior | Fixed | RHSA-2020:3369 | 06.08.2020 |
| OpenShift Service Mesh 1.1 | servicemesh | Fixed | RHSA-2020:3369 | 06.08.2020 |
Показывать по
Дополнительная информация
Статус:
6.1 Medium
CVSS3
Связанные уязвимости
macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL.
gopkg.in/macaron.v1 Open Redirect vulnerability
6.1 Medium
CVSS3