Bug 1847420 (CVE-2020-10775)

Summary: CVE-2020-10775 ovirt-engine: Redirect to arbitrary URL allows for phishing
Product: [Other] Security Response Reporter: Stoyan Nikolov <snikolov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: darunesh, dblechte, dfediuck, eedri, hvyas, mgoldboi, michal.skrivanek, mperina, nobody, puebele, rhs-bugs, rhsc-qe-bugs, sabose, sbonazzo, security-response-team, sherold, storage-qa-internal, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-engine 4.4.2 Doc Type: If docs needed, set a value
Doc Text:
An Open redirect vulnerability was found in ovirt-engine versions 4.4.1 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL is no longer visible. The highest threat from this vulnerability is on confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-04 19:27:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848941, 1866688    
Bug Blocks: 1845991    

Description Stoyan Nikolov 2020-06-16 11:02:27 UTC 
Open redirect vulnerability in ovirt-engine 4.4 and earlier allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser the critical part of the URL is no longer visible.
Comment 9 Stoyan Nikolov 2020-07-01 09:40:17 UTC 
Acknowledgments:

Name: Chen RuiQi (QIANXIN CodeSafe Team), Chen Huiliang (QIANXIN CodeSafe Team)
Comment 10 errata-xmlrpc 2020-08-04 13:15:58 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247
Comment 11 Product Security DevOps Team 2020-08-04 19:27:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10775
Comment 12 Stoyan Nikolov 2020-09-08 12:02:35 UTC 
Upstream fix: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=6953a1072f5a563664fd8992f31637dae66435fc
Comment 13 Stoyan Nikolov 2020-09-09 06:34:54 UTC 
Upstream Changelog: https://www.ovirt.org/release/4.4.2/
Comment 14 Hardik Vyas 2020-09-09 15:31:38 UTC 
Statement:

In Red Hat Gluster Storage 3, ovirt-engine(included in rhsc) was shipped as a part of Red Hat Gluster Storage Console that is no longer supported for use with Red Hat Gluster Storage 3.5. Red Hat Gluster Storage Web Administration is now the recommended monitoring tool for Red Hat Storage Gluster clusters. However, the vulnerable code is not included in the shipped version of ovirt-engine hence not affected by this flaw.