Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-29565

Опубликовано: 26 фев. 2020
Источник: redhat
CVSS3: 6.1

Описание

An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

A flaw was found in python-django-horizon. The "next" parameter is not correctly validated allowing a remote attacker to supply a malicious URL in the dashboard that could cause an automatic redirect to the provided malicious site. The highest threat from this vulnerability is to data confidentiality and integrity.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenStack Platform 10 (Newton)python-django-horizonOut of support scope
Red Hat OpenStack Platform 15 (Stein)python-django-horizonOut of support scope
Red Hat OpenStack Platform 13.0 (Queens)python-django-horizonFixedRHSA-2020:557216.12.2020
Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUSpython-django-horizonFixedRHSA-2020:557216.12.2020
Red Hat OpenStack Platform 16.1python-django-horizonFixedRHSA-2020:541115.12.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-601
https://bugzilla.redhat.com/show_bug.cgi?id=1811510python-django-horizon: dashboard allows open redirect

6.1 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-29565

CVSS3: 6.1
ubuntu
около 5 лет назад

An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

nvd логотип

CVE-2020-29565

CVSS3: 6.1
nvd
около 5 лет назад

An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

debian логотип

CVE-2020-29565

CVSS3: 6.1
debian
около 5 лет назад

An issue was discovered in OpenStack Horizon before 15.3.2, 16.x befor ...

github логотип

GHSA-f8fh-xp28-q59m

CVSS3: 6.1
github
больше 3 лет назад

OpenStack Horizon Open redirect in workflow forms

fstec логотип

BDU:2021-01760

CVSS3: 6.1
fstec
почти 6 лет назад

Уязвимость параметра next пользовательского интерфейса сервисов OpenStack Horizon, связанная с недостатком механизма контролем за переадресации на вредоносные сайты, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность

6.1 Medium

CVSS3