GHSA-WCX9-CCPJ-HX3C

Vulnerability from github – Published: 2024-10-28 18:31 – Updated: 2024-10-30 18:50
VLAI
Summary
Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect')
Details

Summary

An issue on Coder's login page allows attackers to craft a Coder URL that when clicked by a logged in user could redirect them to a website the attacker controls, e.g. https://google.com.

Details

On the login page, Coder checks for the presence of a redirect query parameter. On successful login, the user would be redirected to the location of the parameter. Improper sanitization allows attackers to specify a URL outside of the Coder application to redirect users to.

Impact

Coder users could potentially be redirected to a untrusted website if tricked into clicking a URL crafted by the attacker. Coder authentication tokens are not leaked to the resulting website.

To check if your deployment is vulnerable, visit the following URL for your Coder deployment: - https://<coder url>/login?redirect=https%3A%2F%2Fcoder.com%2Fdocs

Patched Versions

This vulnerability is remedied in - v2.16.1 - v2.15.3 - v2.14.4

All versions prior to 2.3.1 are not affected.

Thanks

  • https://github.com/jchristov

References

https://github.com/coder/coder/security/advisories/GHSA-wcx9-ccpj-hx3c https://github.com/coder/coder/commit/69c1d981e3131e50d52b01f6a360abadaad699e6

Severity
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
5.1 (Medium)
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.16.0"
            },
            {
              "fixed": "2.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.16.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.15.0"
            },
            {
              "fixed": "2.15.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.1"
            },
            {
              "fixed": "2.14.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-28T18:31:57Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn issue on Coder\u0027s login page allows attackers to craft a Coder URL that when clicked by a logged in user could redirect them to a website the attacker controls, e.g. https://google.com.\n\n### Details\nOn the login page, Coder checks for the presence of a `redirect` query parameter. On successful login, the user would be redirected to the location of the parameter. Improper sanitization allows attackers to specify a URL outside of the Coder application to redirect users to.\n\n### Impact\nCoder users could potentially be redirected to a untrusted website if tricked into clicking a URL crafted by the attacker. Coder authentication tokens are **not** leaked to the resulting website.\n\nTo check if your deployment is vulnerable, visit the following URL for your Coder deployment:\n- `https://\u003ccoder url\u003e/login?redirect=https%3A%2F%2Fcoder.com%2Fdocs`\n\n### Patched Versions\nThis vulnerability is remedied in\n- v2.16.1\n- v2.15.3\n- v2.14.4\n\nAll versions prior to 2.3.1 are not affected.\n\n### Thanks\n- https://github.com/jchristov\n\n### References\nhttps://github.com/coder/coder/security/advisories/GHSA-wcx9-ccpj-hx3c\nhttps://github.com/coder/coder/commit/69c1d981e3131e50d52b01f6a360abadaad699e6",
  "id": "GHSA-wcx9-ccpj-hx3c",
  "modified": "2024-10-30T18:50:39Z",
  "published": "2024-10-28T18:31:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/security/advisories/GHSA-wcx9-ccpj-hx3c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/commit/69c1d981e3131e50d52b01f6a360abadaad699e6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coder/coder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Coder vulnerable to post-auth URL redirection to untrusted site (\u0027Open Redirect\u0027)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.