{
  "threat_severity" : "Moderate",
  "public_date" : "2021-05-13T00:00:00Z",
  "bugzilla" : {
    "description" : "openstack-nova: novnc allows open redirection",
    "id" : "1961439",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1961439"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-601",
  "details" : [ "A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.", "A vulnerability was found in CPython which is used by openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL." ],
  "acknowledgement" : "Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Salman Khan (Monash University Cyber Security team), Shahaan Ayyub (Monash University Cyber Security team), and Swe Aung (Monash University Cyber Security team) as the original reporters.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "release_date" : "2022-03-24T00:00:00Z",
    "advisory" : "RHSA-2022:0983",
    "cpe" : "cpe:/a:redhat:openstack:16.1::el8",
    "package" : "openstack-nova-1:20.4.1-1.20220112153422.1ee93b9.el8ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "release_date" : "2022-03-23T00:00:00Z",
    "advisory" : "RHSA-2022:0999",
    "cpe" : "cpe:/a:redhat:openstack:16.2::el8",
    "package" : "openstack-nova-1:20.6.2-2.20220112164912.8906554.el8ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Out of support scope",
    "package_name" : "openstack-nova",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Out of support scope",
    "package_name" : "openstack-nova",
    "cpe" : "cpe:/a:redhat:openstack:13"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3654\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3654\nhttps://www.openwall.com/lists/oss-security/2021/07/29/2" ],
  "name" : "CVE-2021-3654",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}