Date: Mon, 17 Jan 2022 17:48:28 +0000 From: Larry McCay <lmccay@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox Severity: moderate Description: When using Knox SSO in affected releases, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign. Mitigation: 1.x users should upgrade to 1.6.1. Unsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0. and these should upgrade to 1.6.1 as well. 1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1. Credit: Apache Knox would like to thank Kajetan Rostojek for this report
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.