1850034 – (CVE-2020-12666) CVE-2020-12666 macaron: open redirect in the static handler

Bug 1850034 (CVE-2020-12666) - CVE-2020-12666 macaron: open redirect in the static handler

Summary: CVE-2020-12666 macaron: open redirect in the static handler

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-12666
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1850507 1851063 1851064 1851131 1851271 1851272 1851288 1851850
Blocks:	1850035
TreeView+	depends on / blocked

Reported:	2020-06-23 12:38 UTC by Michael Kaplan
Modified:	2021-06-10 14:16 UTC (History)
CC List:	32 users (show)
Fixed In Version:	macaron-1.3.7
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in macaron. Path URLs aren't cleaned before being redirected creating an open redirect in the static handler.
Clone Of:
Environment:
Last Closed:	2020-08-07 01:27:43 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:3369	0	None	None	None	2020-08-06 20:17:51 UTC

Description Michael Kaplan 2020-06-23 12:38:36 UTC

macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL.

https://github.com/go-macaron/macaron/issues/198
https://github.com/go-macaron/macaron/releases/tag/v1.3.7

Comment 2 Hardik Vyas 2020-06-25 11:34:15 UTC

PR: https://github.com/go-macaron/macaron/pull/199

Comment 4 Michael Kaplan 2020-06-25 16:28:21 UTC

Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1851131]

Comment 8 Joshua Padman 2020-06-26 03:33:01 UTC

Created golang-gopkg-macaron-1 tracking bugs for this issue:

Affects: fedora-all [bug 1851288]

Comment 11 Przemyslaw Roguski 2020-06-26 08:24:03 UTC

Statement:

This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release.

Red Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.

Comment 13 errata-xmlrpc 2020-08-06 20:17:49 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1
  Openshift Service Mesh 1.1

Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369

Comment 14 Product Security DevOps Team 2020-08-07 01:27:43 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12666

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
alegrand
amctagga
anharris
anpicker
bmontgom
bniver
eparis
erooth
flucifre
gmeno
go-sig
hvyas
jburrell
jokerman
kakkoyun
kconner
lcosic
mbenjamin
mgoodwin
mhackett
mloibl
nathans
nstielau
pkrupa
puebele
rcernich
sponnaga
surbania
vbellur
vereddy
zebob.m