Bug 2256413 (CVE-2023-26159)
| Summary: | CVE-2023-26159 follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aarif, aazores, abarbaro, abrianik, adamevin, adupliak, aileenc, akostadi, alcohan, amasferr, amctagga, anjoseph, anthomas, aprice, asoldano, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, brian.stansberry, brking, btarraso, caswilli, cbartlet, cdaley, cdewolf, chazlett, cmah, cmiranda, crizzo, darran.lofthouse, dfreiber, dhanak, dkenigsb, dkreling, dkuc, dmayorov, doconnor, dosoudil, dranck, drow, dsimansk, dymurray, eaguilar, ebaron, ecerquei, ehelms, epacific, eric.wittmann, fdeutsch, fjansen, fjuma, ggainey, ggrzybek, gmalinko, gparvin, gsuckevi, haoli, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jburrell, jcammara, jcantril, jchui, jdobes, jhardy, jhe, jkang, jkoehler, jlledo, jmartisk, jmatthew, jmitchel, jmontleo, jneedle, jobarker, jolong, jpallich, jprabhak, jrokos, jsamir, jshaughn, jsherril, jtanner, juwatts, jvasik, jwendell, kaycoth, kegrant, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lchilton, lcouzens, lgao, lphiri, lzap, mabashia, manissin, matzew, mhulan, mkudlej, mmakovy, mnovotny, mosmerov, mpierce, mskarbek, msochure, mstefank, msvehla, mwringe, nboldt, nipatil, njean, nmoumoul, nwallace, oezr, orabin, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pbraun, pcongius, pcreech, pdelbell, pesilva, pgaikwad, pierdipi, pjindal, pmackay, porcelli, psegedy, psrna, rblanco, rcernich, rchan, rguimara, rhaigner, rhuss, rjohnson, rkubis, rojacob, rstancel, rstepani, rtaniwa, saroy, sausingh, sbiarozk, sdawley, sfeifer, sfroberg, shbose, shvarugh, sidakwo, simaishi, sipoyare, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, stcannon, sthirugn, stirabos, tasato, teagle, tfister, thason, thavo, tjochec, tkral, tom.jenkinson, twalsh, vkrizan, vkumar, vmugicag, wtam, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
An Improper Input Validation flaw was found in follow-redirects due to the improper handling of URLs by the url.parse() function. When a new URL() throws an error, it can be manipulated to misinterpret the hostname. This issue could allow an attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2256415, 2256416, 2256417, 2256418, 2256419, 2256420, 2256421, 2256422, 2257405, 2271406 | ||
| Bug Blocks: | 2256412 | ||
|
Description
Rohit Keshri
2024-01-02 07:00:33 UTC
Created cachelib tracking bugs for this issue: Affects: fedora-all [bug 2256416] Created fbthrift tracking bugs for this issue: Affects: fedora-all [bug 2256417] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2256415] Created pgadmin4 tracking bugs for this issue: Affects: fedora-all [bug 2256418] Created rstudio tracking bugs for this issue: Affects: fedora-all [bug 2256419] follow-redirects is a transitive dependency of Grafana, and its not affected by this CVE. This issue has been addressed in the following products: RHOL-5.8-RHEL-9 Via RHSA-2024:0271 https://access.redhat.com/errata/RHSA-2024:0271 This issue has been addressed in the following products: MTR 1.2.4 Via RHSA-2024:0720 https://access.redhat.com/errata/RHSA-2024:0720 This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.5.0-RHEL-9 Via RHSA-2024:0853 https://access.redhat.com/errata/RHSA-2024:0853 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 3.1 Via RHSA-2024:0998 https://access.redhat.com/errata/RHSA-2024:0998 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027 This issue has been addressed in the following products: RHEL-9-CNV-4.15 Via RHSA-2024:3314 https://access.redhat.com/errata/RHSA-2024:3314 This issue has been addressed in the following products: MTA-7.0-RHEL-9 MTA-7.0-RHEL-8 Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989 This issue has been solved in MCE 2.4.5 via this public advisory https://access.redhat.com/errata/RHBA-2024:3555 |