*** This bug is a duplicate of bug 1927677 *** https://bugs.launchpad.net/bugs/1927677
That would be a question for the Ubuntu package maintainers, but we did publish backports to the stable/train branch for that advisory and its errata. Thanks for confirming this is the same issue, I'll switch this report to public and mark it as a duplicate of bug 1927677. ** Information type changed from Private Security to Public Security ** This bug has been marked a duplicate of bug 1927677 [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654) ** Description changed: - This issue is being treated as a potential security risk under - embargo. Please do not make any public mention of embargoed - (private) security vulnerabilities before their coordinated - publication by the OpenStack Vulnerability Management Team in the - form of an official OpenStack Security Advisory. This includes - discussion of the bug or associated fixes in public forums such as - mailing lists, code review systems and bug trackers. Please also - avoid private disclosure to other individuals not already approved - for access to this information, and provide this same reminder to - those who are made aware of the issue prior to publication. All - discussion should remain confined to this private bug report, and - any proposed fixes should be added to the bug as attachments. This - embargo shall not extend past 2022-11-29 and will be made - public by or on that date even if no fix is identified. - Security Issue ============== We have found an open redirect vulnerability in Nova novncproxy Impact ====== - Attackers can serve malicious websites that steal passwords or download ransomware to their victims' machines due to a redirect and there are a heap of other attack vectors. - Attackers may be able to use this to execute believable phishing attacks, bypass authentication, or (in rare circumstances) violate CSRF mitigations. Steps to Reproduce ================== Simple curl the below url and it will redirect to google.com http://nova-novncproxy:6080////google.com/%2f%2e%2e Example ======= $ curl "http://nova-novncproxy:6080////google.com/%2f.." -v * Trying 10.X.Y.Z... * TCP_NODELAY set * Connected to nova-novncproxy (10.X.Y.Z) port 6080 (#0) > GET ////google.com/%2f.. HTTP/1.1 > Host: nova-novncproxy:6080 > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Server: WebSockify Python/3.6.9 < Date: Wed, 31 Aug 2022 11:59:29 GMT < Location: //google.com/%2f../ Reference ========= https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1988302 Title: novncproxy open redirect Status in OpenStack Compute (nova): New Status in OpenStack Security Advisory: Incomplete Bug description: Security Issue ============== We have found an open redirect vulnerability in Nova novncproxy Impact ====== - Attackers can serve malicious websites that steal passwords or download ransomware to their victims' machines due to a redirect and there are a heap of other attack vectors. - Attackers may be able to use this to execute believable phishing attacks, bypass authentication, or (in rare circumstances) violate CSRF mitigations. Steps to Reproduce ================== Simple curl the below url and it will redirect to google.com http://nova-novncproxy:6080////google.com/%2f%2e%2e Example ======= $ curl "http://nova-novncproxy:6080////google.com/%2f.." -v * Trying 10.X.Y.Z... * TCP_NODELAY set * Connected to nova-novncproxy (10.X.Y.Z) port 6080 (#0) > GET ////google.com/%2f.. HTTP/1.1 > Host: nova-novncproxy:6080 > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Server: WebSockify Python/3.6.9 < Date: Wed, 31 Aug 2022 11:59:29 GMT < Location: //google.com/%2f../ Reference ========= https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1988302/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp