GitHub Advisory DatabaseGHSA-J6JQ-3Q8P-XGG6Netflix Security Monkey Open Redirect vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
52.0%
Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the “next” parameter which then redirects to any domain irrespective of the Host header.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| netflix | security_monkey | * | cpe:2.3:a:netflix:security_monkey:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-j6jq-3q8p-xgg6
github.com/Netflix/security_monkey/commit/3b4da13efabb05970c80f464a50d3c1c12262466
github.com/Netflix/security_monkey/pull/482
github.com/Netflix/security_monkey/releases/tag/v0.8.0
nvd.nist.gov/vuln/detail/CVE-2017-7266
web.archive.org/web/20201220170714/www.securityfocus.com/bid/97088
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
52.0%