Open redirect vulnerability in ovirt-engine 4.4 and earlier allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser the critical part of the URL is no longer visible.
Name: Chen RuiQi (QIANXIN CodeSafe Team), Chen Huiliang (QIANXIN CodeSafe Team)
This issue has been addressed in the following products:
Red Hat Virtualization Engine 4.4
Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Upstream fix: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=6953a1072f5a563664fd8992f31637dae66435fc
Upstream Changelog: https://www.ovirt.org/release/4.4.2/
In Red Hat Gluster Storage 3, ovirt-engine(included in rhsc) was shipped as a part of Red Hat Gluster Storage Console that is no longer supported for use with Red Hat Gluster Storage 3.5. Red Hat Gluster Storage Web Administration is now the recommended monitoring tool for Red Hat Storage Gluster clusters. However, the vulnerable code is not included in the shipped version of ovirt-engine hence not affected by this flaw.