CVE-2020-29565 : What You Need to Know

OpenStack Horizon versions before 15.3.2, 16.x before 16.2.1, 17.x, and 18.x before 18.3.3, 18.4.x, and 18.5.x are affected by a vulnerability that allows malicious URL redirection.

Understanding CVE-2020-29565

This CVE identifies a lack of validation in the 'next' parameter in OpenStack Horizon, enabling an attacker to redirect users to a malicious URL.

What is CVE-2020-29565?

The vulnerability in OpenStack Horizon allows an attacker to input a malicious URL in Horizon, leading to an automatic redirect to the specified malicious URL.

The Impact of CVE-2020-29565

This vulnerability could be exploited by attackers to trick users into visiting malicious websites, potentially leading to further security breaches or data theft.

Technical Details of CVE-2020-29565

OpenStack Horizon's vulnerability is detailed below:

Vulnerability Description

The issue arises from the lack of validation in the 'next' parameter, enabling the automatic redirection to a malicious URL.

Affected Systems and Versions

OpenStack Horizon versions before 15.3.2, 16.x before 16.2.1, 17.x, and 18.x before 18.3.3, 18.4.x, and 18.5.x.

Exploitation Mechanism

Attackers can exploit this vulnerability by providing a malicious URL in Horizon, triggering an automatic redirect to the specified URL.

Mitigation and Prevention

To address CVE-2020-29565, consider the following steps:

Immediate Steps to Take

Update OpenStack Horizon to versions 15.3.2, 16.2.1, 18.3.3, 18.4.x, or 18.5.x that contain fixes for this vulnerability.
Implement URL validation mechanisms to prevent unauthorized redirects.

Long-Term Security Practices

Regularly monitor and update all software components to address security vulnerabilities promptly.
Educate users about the risks of clicking on unknown or suspicious URLs.

Patching and Updates

Apply patches provided by OpenStack to fix the vulnerability and enhance system security.