CVE-2024-21497: URL Redirection to Untrusted Site ('Open Redirect')

February 17, 2024 (updated February 20, 2024)

All versions of the package github.com/greenpau/caddy-security is vulnerable to Open Redirect via the redirect_url parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this vulnerability, the user must take an action, such as clicking on a portal button or using the browser’s back button, to trigger the redirection.

References

blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy
github.com/advisories/GHSA-8hp3-rmr7-xh88
github.com/greenpau/caddy-security/issues/268
nvd.nist.gov/vuln/detail/CVE-2024-21497
security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861

Detect and mitigate CVE-2024-21497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →