Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1qOXItd3dtOC03cTUy
Open Redirect in github.com/AndrewBurian/powermux
Impact
Attackers may be able to craft phishing links and other open redirects by exploiting the trailing slash redirection feature. This may lead to users being redirected to untrusted sites after following an attacker crafted link.
Patches
The issue is resolved in v1.1.1
Workarounds
There are no existing workarounds.
You may detect attempts to craft urls that exploit this feature by looking for request paths containing pairs of forward slashes in sequence combined with a trailing slash e.g. https://example.com//foo/
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1qOXItd3dtOC03cTUy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 4.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-mj9r-wwm8-7q52, CVE-2021-32721
References:
- https://github.com/AndrewBurian/powermux/security/advisories/GHSA-mj9r-wwm8-7q52
- https://nvd.nist.gov/vuln/detail/CVE-2021-32721
- https://github.com/AndrewBurian/powermux/commit/5e60a8a0372b35a898796c2697c40e8daabed8e9
- https://github.com/advisories/GHSA-mj9r-wwm8-7q52
Blast Radius: 2.2
Affected Packages
go:github.com/AndrewBurian/powermux
Dependent packages: 1Dependent repositories: 3
Downloads:
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 1.0.0, 1.1.0
All unaffected versions: 1.1.1