CVE-2021-42357

Summary

When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache KnoxApache Knox 1.x < 1.6.1affected
Apache Software FoundationApache Knox0.12.0 < Apache Knox 0.x*affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

1.x users should upgrade to 1.6.1. Unsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0. and these should upgrade to 1.6.1 as well. 1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.

ADP Enrichment

CVE Program Container

Additional References

References