CVE-2017-16652: Open redirect vulnerability

June 13, 2018 (updated March 13, 2019)

DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler take the content of the _target_path parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks.

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652
symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers
github.com/symfony/symfony/pull/24995

Detect and mitigate CVE-2017-16652 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →