CVE-2021-23393: URL Redirection to Untrusted Site (Open Redirect)
(updated )
When using the the _validate_redirect_url
function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path
. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using autocorrect_location_header=False
.
References
Detect and mitigate CVE-2021-23393 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →