Bug 1725740 (CVE-2019-13038)
Summary: | CVE-2019-13038 mod_auth_mellon: Open Redirect via the login?ReturnTo= substring which could facilitate information theft | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | hhorak, jhrozek, jorton, luhliari, ssorce, sssd-qe |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mod_auth_mellon 0.15.0 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-31 22:34:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1725742, 1731052, 1731053, 1731054 | ||
Bug Blocks: | 1725743 |
Description
Marian Rehak
2019-07-01 11:24:06 UTC
Created mod_auth_mellon tracking bugs for this issue: Affects: fedora-all [bug 1725742] An initial patch can be found at https://github.com/Uninett/mod_auth_mellon/commit/9d28908e28ef70a12196c215503fb0075e1fd7f3 . However, according to https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 it is still possible to reproduce the flaw. By omitting the `//` after `http:` or `https:` apr_uri_parse() function incorrectly parses the URL provided with ReturnTo=, returning a wrong URI without hostname. According to the logic in am_validate_redirect_url() URIs without hostname does not need to be checked, because they are supposed to be relative to the current host, however the browser interprets them differently and redirects the user to the page specified after `http:`/`https:`. This flaw is caused by an incomplete fix for CVE-2019-3877. Proposed patch upstream: https://github.com/Uninett/mod_auth_mellon/pull/220 The upstream PR and issue have been closed as the mod_auth_mellon project has been archived. See https://github.com/Uninett/mod_auth_mellon/blob/info/README.md . We have moved development here[1] after Uninett decided to not fund development further Please feel free to reopen issues or PRs there. [1] https://github.com/latchset/mod_auth_mellon/ The fix initially proposed and noted in comment 7 has been merged in the new repository and it can be found at: https://github.com/latchset/mod_auth_mellon/commit/5f220e771f2029a58b7d95f92e9ae6713bc88ce5 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1003 https://access.redhat.com/errata/RHSA-2020:1003 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-13038 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1660 https://access.redhat.com/errata/RHSA-2020:1660 |