Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <ebb955eb-5f5c-473a-35a4-1ff66d6b97d0@apache.org>
Date: Mon, 17 Jan 2022 17:48:28 +0000
From: Larry McCay <lmccay@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox 

Severity: moderate

Description:

When using Knox SSO in affected releases, a request could be crafted to
redirect a user to a malicious page due to improper URL parsing.
A request that included a specially crafted
request parameter could be used to redirect the user to a page controlled
by an attacker. This URL would need to be presented to the user outside
the normal request flow through a XSS or phishing campaign.

Mitigation:

1.x users should upgrade to 1.6.1.
Unsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.
and these should upgrade to 1.6.1 as well.
1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.


Credit:

Apache Knox would like to thank Kajetan Rostojek for this report

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.