Bug 1980648 (CVE-2021-3639)

Summary: CVE-2021-3639 mod_auth_mellon: Open Redirect vulnerability in logout URLs
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jhrozek, jorton, luhliari, nkinder, security-response-team, spoore, ssorce, thalman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 18:16:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1986805, 1986806, 1986807, 1988235    
Bug Blocks: 1978058    

Description Dhananjay Arunesh 2021-07-09 06:39:06 UTC 
A vulnerability was found in mod_auth_mellon where it does not sanatize logout  URLs properly results in phishing attacks by tricking users.
Comment 4 Riccardo Schirone 2021-07-28 11:30:47 UTC 
The vulnerability is in auth_mellon_util.c:am_check_url() function, where there are not enough checks to ensure the redirect URL is fine. An attacker may provide a logout URL, starting with "///", of an application that uses mod_auth_mellon to a victim user, so that he is redirected to another site. The user may pay less attention to the URL as the application that uses mod_auth_mellon may be trusted.
Comment 5 Riccardo Schirone 2021-07-30 05:46:07 UTC 
Upstream patch:
https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5
Comment 6 Riccardo Schirone 2021-07-30 05:47:54 UTC 
Created mod_auth_mellon tracking bugs for this issue:

Affects: fedora-all [bug 1988235]
Comment 7 errata-xmlrpc 2022-05-10 14:22:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1934 https://access.redhat.com/errata/RHSA-2022:1934
Comment 8 Product Security DevOps Team 2022-05-11 18:16:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3639