Bug 1847420 (CVE-2020-10775)
Summary: | CVE-2020-10775 ovirt-engine: Redirect to arbitrary URL allows for phishing | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Stoyan Nikolov <snikolov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | darunesh, dblechte, dfediuck, eedri, hvyas, mgoldboi, michal.skrivanek, mperina, nobody, puebele, rhs-bugs, rhsc-qe-bugs, sabose, sbonazzo, security-response-team, sherold, storage-qa-internal, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ovirt-engine 4.4.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
An Open redirect vulnerability was found in ovirt-engine versions 4.4.1 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL is no longer visible. The highest threat from this vulnerability is on confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-08-04 19:27:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1848941, 1866688 | ||
Bug Blocks: | 1845991 |
Description
Stoyan Nikolov
2020-06-16 11:02:27 UTC
Acknowledgments: Name: Chen RuiQi (QIANXIN CodeSafe Team), Chen Huiliang (QIANXIN CodeSafe Team) This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10775 Upstream fix: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=6953a1072f5a563664fd8992f31637dae66435fc Upstream Changelog: https://www.ovirt.org/release/4.4.2/ Statement: In Red Hat Gluster Storage 3, ovirt-engine(included in rhsc) was shipped as a part of Red Hat Gluster Storage Console that is no longer supported for use with Red Hat Gluster Storage 3.5. Red Hat Gluster Storage Web Administration is now the recommended monitoring tool for Red Hat Storage Gluster clusters. However, the vulnerable code is not included in the shipped version of ovirt-engine hence not affected by this flaw. |