Bug 1850034 (CVE-2020-12666) - CVE-2020-12666 macaron: open redirect in the static handler
Summary: CVE-2020-12666 macaron: open redirect in the static handler
Alias: CVE-2020-12666
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1850507 1851063 1851064 1851131 1851271 1851272 1851288 1851850
Blocks: 1850035
TreeView+ depends on / blocked
Reported: 2020-06-23 12:38 UTC by Michael Kaplan
Modified: 2021-06-10 14:16 UTC (History)
32 users (show)

Fixed In Version: macaron-1.3.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in macaron. Path URLs aren't cleaned before being redirected creating an open redirect in the static handler.
Clone Of:
Last Closed: 2020-08-07 01:27:43 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3369 0 None None None 2020-08-06 20:17:51 UTC

Description Michael Kaplan 2020-06-23 12:38:36 UTC
macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the URL.


Comment 2 Hardik Vyas 2020-06-25 11:34:15 UTC
PR: https://github.com/go-macaron/macaron/pull/199

Comment 4 Michael Kaplan 2020-06-25 16:28:21 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1851131]

Comment 8 Joshua Padman 2020-06-26 03:33:01 UTC
Created golang-gopkg-macaron-1 tracking bugs for this issue:

Affects: fedora-all [bug 1851288]

Comment 11 Przemyslaw Roguski 2020-06-26 08:24:03 UTC

This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release.

Red Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.

Comment 13 errata-xmlrpc 2020-08-06 20:17:49 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1
  Openshift Service Mesh 1.1

Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369

Comment 14 Product Security DevOps Team 2020-08-07 01:27:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.