Bug 1911314 (CVE-2020-35678) - CVE-2020-35678 python-autobahn: allows redirect header injection
Summary: CVE-2020-35678 python-autobahn: allows redirect header injection
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-35678
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1911317 1911315 1911316 1912659 1912660 1913652 1913653 1913673
Blocks: 1911318
TreeView+ depends on / blocked
 
Reported: 2020-12-28 17:47 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-07 15:03 UTC (History)
21 users (show)

Fixed In Version: python-autobahn 20.12.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-autobahn, where it allows redirect header injection. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2021-03-09 21:05:51 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0778 0 None None None 2021-03-09 15:52:28 UTC
Red Hat Product Errata RHSA-2021:0779 0 None None None 2021-03-09 15:51:43 UTC
Red Hat Product Errata RHSA-2021:0780 0 None None None 2021-03-09 16:02:22 UTC

Description Guilherme de Almeida Suckevicz 2020-12-28 17:47:06 UTC
Autobahn|Python before 20.12.3 allows redirect header injection.

Reference and upstream patch:
https://github.com/crossbario/autobahn-python/pull/1439

Comment 1 Guilherme de Almeida Suckevicz 2020-12-28 17:47:33 UTC
Created python-autobahn tracking bugs for this issue:

Affects: epel-all [bug 1911316]
Affects: fedora-all [bug 1911315]
Affects: openstack-rdo [bug 1911317]

Comment 3 Summer Long 2021-01-05 05:02:38 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 9 Summer Long 2021-01-27 00:44:06 UTC
Statement:

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-autobahn package.

Comment 10 errata-xmlrpc 2021-03-09 15:51:42 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.7 for RHEL 7

Via RHSA-2021:0779 https://access.redhat.com/errata/RHSA-2021:0779

Comment 11 errata-xmlrpc 2021-03-09 15:52:27 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.6 for RHEL 7

Via RHSA-2021:0778 https://access.redhat.com/errata/RHSA-2021:0778

Comment 12 errata-xmlrpc 2021-03-09 16:02:21 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.8 for RHEL 7

Via RHSA-2021:0780 https://access.redhat.com/errata/RHSA-2021:0780

Comment 13 Product Security DevOps Team 2021-03-09 21:05:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35678


Note You need to log in before you can comment on or make changes to this bug.