Bug 1660925 - [downstream clone - 4.2.8] Security scanner detects "Unvalidated Redirects and Forwards (spider-param-unchecked-redirect)" vulnerability in RHVM 4.2
Summary: [downstream clone - 4.2.8] Security scanner detects "Unvalidated Redirects an...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.2.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ovirt-4.2.8-1
: ---
Assignee: Ravi Nori
QA Contact: Petr Matyáš
URL:
Whiteboard:
Depends On: 1656881
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-19 15:43 UTC by RHV bug bot
Modified: 2019-02-13 15:34 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1656881
Environment:
Last Closed: 2019-02-13 15:34:07 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0343 None None None 2019-02-13 15:34:09 UTC
oVirt gerrit 96274 master MERGED aaa: Remove engine_url reference from Engine SSO 2018-12-19 15:44:07 UTC
oVirt gerrit 96275 master MERGED aaa: Remove engine_url from login servlets 2018-12-19 15:44:07 UTC
oVirt gerrit 96276 master MERGED aaa: Send Error with message for invalid Authorize requests 2018-12-19 15:44:07 UTC
oVirt gerrit 96277 master MERGED aaa: Add Bad Request custom page 2018-12-19 15:44:07 UTC
oVirt gerrit 96341 ovirt-engine-4.2 MERGED aaa: Remove engine_url reference from Engine SSO 2018-12-20 14:49:38 UTC
oVirt gerrit 96342 ovirt-engine-4.2 MERGED aaa: Remove engine_url from login servlets 2018-12-20 14:49:41 UTC
oVirt gerrit 96343 ovirt-engine-4.2 MERGED aaa: Send Error with message for invalid Authorize requests 2018-12-20 14:49:44 UTC
oVirt gerrit 96344 ovirt-engine-4.2 MERGED aaa: Add Bad Request custom page 2018-12-20 14:49:48 UTC
oVirt gerrit 96699 ovirt-engine-4.2 MERGED aaa: Fix login and credentialsChange jps to render proper engine URL 2019-01-11 07:56:13 UTC

Comment 1 RHV bug bot 2018-12-19 15:43:31 UTC
The security scanner detects the following Vulnerability for RHVM 4.2. :

3.2.15. Unvalidated Redirects and Forwards (spider-param-unchecked-redirect)

Description:

An open redirect vulnerability is an application that takes a parameter and redirects a user to the parameter value, such a Web site,
without validation. Attackers exploit this vulnerability with phishing e-mails that cause users to visit malicious sites inadvertently.
This is one of OWASP Top Ten flaws in the Code Injection category.


References:

OWASP-2010 : https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards

OWASP-2013 : https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards

Vulnerability Solution:

Audit Report

If you cannot avoid user-controlled parameters when calculating the destination of the redirect or forward action, it is recommended that
you make any such parameters mapping values instead of actual URLs or portions of URLs.

Applications can use ESAPI to override the sendRedirect() method to make sure all redirect destinations are safe.

(Originally by Sachin Raje)

Comment 20 Petr Matyáš 2019-02-07 13:14:53 UTC
Verified on ovirt-engine-4.2.8.2-0.1.el7ev.noarch

Comment 22 errata-xmlrpc 2019-02-13 15:34:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0343


Note You need to log in before you can comment on or make changes to this bug.