Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-P44J-XRQG-4XRR
HistoryMar 08, 2021 - 9:06 p.m.

URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService

2021-03-0821:06:23
CWE-601
GitHub Advisory Database
github.com
33

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.007 Low

EPSS

Percentile

79.4%

JSON

Impact

What kind of vulnerability is it? Who is impacted?

Open redirect vulnerability - a maliciously crafted link to the login form and login functionality could redirect the browser to a different website.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.1 and re-run the buildout, or if you used pip simply do pip install "Products.PluggableAuthService>=2.6.1"

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no workaround. Users are encouraged to upgrade.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

CPENameOperatorVersion
products.pluggableauthservicelt2.6.1

Related

cve 1
prion 1
osv 3
zdt 1
packetstorm 1
veracode 1
exploitdb 1
cve
cve
CVE-2021-21337
2021-03-08 21:15:00
prion
prion
Open redirect
2021-03-08 21:15:00
osv
osv
CVE-2021-21337
2021-03-08 21:15:16
URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService
2021-03-08 21:06:23
PYSEC-2021-45
2021-03-08 21:15:00
zdt
zdt
Products.PluggableAuthService 2.6.0 - Open Redirect Vulnerability
2021-06-02 00:00:00
packetstorm
packetstorm
Products.PluggableAuthService 2.6.0 Open Redirect
2021-06-02 00:00:00
veracode
veracode
Open Redirection
2021-03-10 06:51:14
exploitdb
exploitdb
Products.PluggableAuthService 2.6.0 - Open Redirect
2021-06-02 00:00:00

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.007 Low

EPSS

Percentile

79.4%

JSON
Related for GHSA-P44J-XRQG-4XRR
cve1prion1osv3zdt1packetstorm1veracode1exploitdb1