Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-BA003A6E9AEDD168FE3F3EDC0217A5E1

HistoryJun 29, 2021 - 12:00 a.m.

URL Redirection to Untrusted Site (Open Redirect)

2021-06-2900:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

powermux

url redirection

untrusted sites

phishing links

open redirects

trailing slash redirection

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.8%

JSON

PowerMux is a drop-in replacement for Go’s http.ServeMux. In PowerMux, attackers may be able to craft phishing links and other open redirects by exploiting the trailing slash redirection feature. This may lead to users being redirected to untrusted sites after following an attacker crafted link.

Affected configurations

Vulners

Node

gopowermuxRange<v1.1.1

VendorProductVersionCPE
gopowermux*cpe:2.3:a:go:powermux:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
go	powermux	*	cpe:2.3:a:go:powermux::::::::

References

nvd.nist.gov/vuln/detail/CVE-2021-32721

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.8%

JSON

Related for GITLAB-BA003A6E9AEDD168FE3F3EDC0217A5E1