macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL. https://github.com/go-macaron/macaron/issues/198 https://github.com/go-macaron/macaron/releases/tag/v1.3.7
PR: https://github.com/go-macaron/macaron/pull/199
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1851131]
Created golang-gopkg-macaron-1 tracking bugs for this issue: Affects: fedora-all [bug 1851288]
Statement: This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release. Red Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Openshift Service Mesh 1.1 Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12666