Bug 1850034 (CVE-2020-12666)

Summary: CVE-2020-12666 macaron: open redirect in the static handler
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, alegrand, amctagga, anharris, anpicker, bmontgom, bniver, eparis, erooth, flucifre, gmeno, go-sig, hvyas, jburrell, jokerman, kakkoyun, kconner, lcosic, mbenjamin, mgoodwin, mhackett, mloibl, nathans, nstielau, pkrupa, puebele, rcernich, sponnaga, surbania, vbellur, vereddy, zebob.m
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: macaron-1.3.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in macaron. Path URLs aren't cleaned before being redirected creating an open redirect in the static handler.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-07 01:27:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1850507, 1851063, 1851064, 1851131, 1851271, 1851272, 1851288, 1851850    
Bug Blocks: 1850035    

Description Michael Kaplan 2020-06-23 12:38:36 UTC 
macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL.

https://github.com/go-macaron/macaron/issues/198
https://github.com/go-macaron/macaron/releases/tag/v1.3.7
Comment 2 Hardik Vyas 2020-06-25 11:34:15 UTC 
PR: https://github.com/go-macaron/macaron/pull/199
Comment 4 Michael Kaplan 2020-06-25 16:28:21 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1851131]
Comment 8 Joshua Padman 2020-06-26 03:33:01 UTC 
Created golang-gopkg-macaron-1 tracking bugs for this issue:

Affects: fedora-all [bug 1851288]
Comment 11 Przemyslaw Roguski 2020-06-26 08:24:03 UTC 
Statement:

This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release.

Red Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.
Comment 13 errata-xmlrpc 2020-08-06 20:17:49 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1
  Openshift Service Mesh 1.1

Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369
Comment 14 Product Security DevOps Team 2020-08-07 01:27:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12666