CVE-2020-29565
Publication date 4 December 2020
Last updated 24 July 2024
Ubuntu priority
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| horizon | ||
| 20.04 LTS focal |
Fixed 3:18.3.2-0ubuntu0.20.04.4
|
|
| 18.04 LTS bionic |
Fixed 3:13.0.3-0ubuntu2
|
|
| 16.04 LTS xenial |
Fixed 2:9.1.2-0ubuntu5.2
|
|
| 14.04 LTS trusty | Not in release | |
| openstack | ||
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.1 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4675-1
- OpenStack Horizon vulnerability
- 5 January 2021