GHSA-4r8q-gv9j-3xx6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4r8q-gv9j-3xx6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-4r8q-gv9j-3xx6/GHSA-4r8q-gv9j-3xx6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4r8q-gv9j-3xx6
- Aliases
- Published
- 2022-03-18T17:55:07Z
- Modified
- 2023-11-08T04:05:55.547931Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Open Redirect
- Details
-
Impact
In some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL. This is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have
force_httpsset totrue(default:false)Patches
Version 5.7.2 contains the relevant patches to fix this bug. Stripping the URL from special characters to prevent specially crafted URL's from being redirected to.
Workarounds
There is a simple way to work around the security issue - Set the
force_httpsto every tenant tofalseReferences
https://nvd.nist.gov/vuln/detail/CVE-2018-11784
For more information
If you have any questions or comments about this advisory: * Contact us in Discord: https://tenancy.dev/chat
- Database specific
{ "nvd_published_at": "2021-05-27T17:15:00Z", "github_reviewed_at": "2021-05-27T20:40:11Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-601" ] }- References
-
- https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6
- https://nvd.nist.gov/vuln/detail/CVE-2021-32645
- https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164
- https://packagist.org/packages/hyn/multi-tenant
- https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html
Affected packages
Packagist / hyn/multi-tenant
Package
- Name
- hyn/multi-tenant
- Purl
- pkg:composer/hyn/multi-tenant