CVE-2021-3654
First published: Mon May 17 2021(Updated: )
A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Nova | <21.2.3 | |
| OpenStack Nova | >=22.0.0<22.2.3 | |
| OpenStack Nova | >=23.0.0<23.0.3 | |
| Redhat Openstack Platform | =16.1 | |
| Redhat Openstack Platform | =16.2 | |
| redhat/nova | <21.2.3 | 21.2.3 |
| redhat/nova | <22.3.0 | 22.3.0 |
| redhat/nova | <23.1.0 | 23.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.launchpad.net/nova/+bug/1927677
- https://bugs.python.org/issue32084
- https://bugzilla.redhat.com/show_bug.cgi?id=1961439
- https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66
- https://opendev.org/openstack/nova/commit/8906552cfc2525a44251d4cf313ece61e57251eb
- https://security.gentoo.org/glsa/202305-02
- https://security.openstack.org/ossa/OSSA-2021-002.html
- https://www.openwall.com/lists/oss-security/2021/07/29/2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1961446
- https://bugs.python.org/issue43223
- https://github.com/python/cpython/pull/24848
- https://access.redhat.com/errata/RHSA-2022:0999
- https://access.redhat.com/errata/RHSA-2022:0983
- https://access.redhat.com/security/cve/cve-2021-3654
Frequently Asked Questions
What is CVE-2021-3654?
CVE-2021-3654 is a vulnerability found in openstack-nova's console proxy, noVNC, that allows for redirecting to any desired URL via a maliciously crafted URL.
How does CVE-2021-3654 affect OpenStack Nova?
CVE-2021-3654 affects OpenStack Nova versions up to 21.2.3, 22.0.0 up to 22.2.3, and 23.0.0 up to 23.0.3.
What is the severity of CVE-2021-3654?
The severity of CVE-2021-3654 is medium, with a CVSS score of 6.1.
How can I fix CVE-2021-3654?
To fix CVE-2021-3654, update OpenStack Nova to version 21.2.4 or higher, versions 22.3.0 or higher, or versions 23.1.0 or higher.
Where can I find more information about CVE-2021-3654?
You can find more information about CVE-2021-3654 at the following references: [Reference 1](https://bugs.launchpad.net/nova/+bug/1927677), [Reference 2](https://bugs.python.org/issue32084), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi?id=1961439).
- collector/nvd-index
- agent/references
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3654
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/openstack
- canonical/openstack nova
- version/openstack nova/22.0.0
- version/openstack nova/23.0.0
- vendor/redhat
- canonical/redhat openstack platform
- version/redhat openstack platform/16.1
- version/redhat openstack platform/16.2
- package-manager/redhat