Autobahn|Python before 20.12.3 allows redirect header injection. Reference and upstream patch: https://github.com/crossbario/autobahn-python/pull/1439
Created python-autobahn tracking bugs for this issue: Affects: epel-all [bug 1911316] Affects: fedora-all [bug 1911315] Affects: openstack-rdo [bug 1911317]
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Statement: In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-autobahn package.
This issue has been addressed in the following products: Red Hat Ansible Tower 3.7 for RHEL 7 Via RHSA-2021:0779 https://access.redhat.com/errata/RHSA-2021:0779
This issue has been addressed in the following products: Red Hat Ansible Tower 3.6 for RHEL 7 Via RHSA-2021:0778 https://access.redhat.com/errata/RHSA-2021:0778
This issue has been addressed in the following products: Red Hat Ansible Tower 3.8 for RHEL 7 Via RHSA-2021:0780 https://access.redhat.com/errata/RHSA-2021:0780
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35678