CVE-2021-32645 - Vulnerability Details

Vendors	Products
Tenancy	Multi-tenant

Link	Providers
https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164
https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6
https://packagist.org/packages/hyn/multi-tenant
https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html

{"containers": {"cna": {"affected": [{"product": "multi-tenant", "vendor": "tenancy", "versions": [{"status": "affected", "version": ">=5.6.0, < 5.7.2"}]}], "descriptions": [{"lang": "en", "value": "Tenancy multi-tenant is an open source multi-domain controller for the Laravel web framework. In some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL. This is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have `force_https` set to `true` (default: `false`). Version 5.7.2 contains the relevant patches to fix this bug. Stripping the URL from special characters to prevent specially crafted URL's from being redirected to. As a work around users can set the `force_https` to every tenant to `false`, however this may degrade connection security."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-27T16:50:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164"}, {"tags": ["x_refsource_MISC"], "url": "https://packagist.org/packages/hyn/multi-tenant"}, {"tags": ["x_refsource_MISC"], "url": "https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html"}], "source": {"advisory": "GHSA-4r8q-gv9j-3xx6", "discovery": "UNKNOWN"}, "title": "Open Redirect in tenancy", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32645", "STATE": "PUBLIC", "TITLE": "Open Redirect in tenancy"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "multi-tenant", "version": {"version_data": [{"version_value": ">=5.6.0, < 5.7.2"}]}}]}, "vendor_name": "tenancy"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Tenancy multi-tenant is an open source multi-domain controller for the Laravel web framework. In some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL. This is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have `force_https` set to `true` (default: `false`). Version 5.7.2 contains the relevant patches to fix this bug. Stripping the URL from special characters to prevent specially crafted URL's from being redirected to. As a work around users can set the `force_https` to every tenant to `false`, however this may degrade connection security."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6", "refsource": "CONFIRM", "url": "https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6"}, {"name": "https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164", "refsource": "MISC", "url": "https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164"}, {"name": "https://packagist.org/packages/hyn/multi-tenant", "refsource": "MISC", "url": "https://packagist.org/packages/hyn/multi-tenant"}, {"name": "https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html", "refsource": "MISC", "url": "https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html"}]}, "source": {"advisory": "GHSA-4r8q-gv9j-3xx6", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:30.930Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://packagist.org/packages/hyn/multi-tenant"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32645", "datePublished": "2021-05-27T16:50:11", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:25:30.930Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tenancy:multi-tenant:*:*:*:*:*:*:*:*", "matchCriteriaId": "694DCF0D-2851-4E42-8F9C-A74FA84527D2", "versionEndExcluding": "5.7.2", "versionStartIncluding": "5.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Tenancy multi-tenant is an open source multi-domain controller for the Laravel web framework. In some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL. This is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have `force_https` set to `true` (default: `false`). Version 5.7.2 contains the relevant patches to fix this bug. Stripping the URL from special characters to prevent specially crafted URL's from being redirected to. As a work around users can set the `force_https` to every tenant to `false`, however this may degrade connection security."}, {"lang": "es", "value": "Tenancy multi-tenant es un controlador multidominio de c\u00f3digo abierto para el Laravel web framework. En algunas situaciones, es posible tener redireccionamientos abiertos donde los usuarios pueden ser redirigidos desde su sitio a cualquier otro sitio usando una URL especialmente dise\u00f1ada. Este es solo el caso de instalaciones donde es usado la Identificaci\u00f3n de Nombre de Host predeterminada y el entorno usa inquilinos que presentan la funci\u00f3n \"force_https\" ajustada en el par\u00e1metro \"true\" (por defecto: \"false\"). La versi\u00f3n 5.7.2 contiene los parches relevantes para corregir este error. Eliminar la URL de los caracteres especiales para impedir que se redireccione a las URL especialmente dise\u00f1adas. Como soluci\u00f3n alternativa, los usuarios pueden ajustar la funci\u00f3n \"force_https\" para cada inquilino en el par\u00e1metro \"false\", sin embargo, esto puede degradar la seguridad de la conexi\u00f3n"}], "id": "CVE-2021-32645", "lastModified": "2024-11-21T06:07:26.863", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-27T17:15:08.127", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://packagist.org/packages/hyn/multi-tenant"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://packagist.org/packages/hyn/multi-tenant"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object