Bug 1850034 (CVE-2020-12666) - CVE-2020-12666 macaron: open redirect in the static handler
Summary: CVE-2020-12666 macaron: open redirect in the static handler
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12666
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1851064 1850507 1851063 1851131 1851271 1851272 1851288 1851850
Blocks: 1850035
TreeView+ depends on / blocked
 
Reported: 2020-06-23 12:38 UTC by Michael Kaplan
Modified: 2021-02-16 19:48 UTC (History)
32 users (show)

Fixed In Version: macaron-1.3.7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-07 01:27:43 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3369 0 None None None 2020-08-06 20:17:51 UTC

Description Michael Kaplan 2020-06-23 12:38:36 UTC
macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL.

https://github.com/go-macaron/macaron/issues/198
https://github.com/go-macaron/macaron/releases/tag/v1.3.7

Comment 2 Hardik Vyas 2020-06-25 11:34:15 UTC
PR: https://github.com/go-macaron/macaron/pull/199

Comment 4 Michael Kaplan 2020-06-25 16:28:21 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1851131]

Comment 8 Joshua Padman 2020-06-26 03:33:01 UTC
Created golang-gopkg-macaron-1 tracking bugs for this issue:

Affects: fedora-all [bug 1851288]

Comment 11 Przemyslaw Roguski 2020-06-26 08:24:03 UTC
Statement:

This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release.

Red Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.

Comment 13 errata-xmlrpc 2020-08-06 20:17:49 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1
  Openshift Service Mesh 1.1

Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369

Comment 14 Product Security DevOps Team 2020-08-07 01:27:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12666


Note You need to log in before you can comment on or make changes to this bug.