macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL.
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1851131]
Created golang-gopkg-macaron-1 tracking bugs for this issue:
Affects: fedora-all [bug 1851288]
This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release.
Red Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.
This issue has been addressed in the following products:
OpenShift Service Mesh 1.1
Openshift Service Mesh 1.1
Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):