CVE-2020-29565 in OpenStack Horizon
Summary
by MITRE • 12/04/2020
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/12/2020
The vulnerability identified as CVE-2020-29565 represents a critical server-side request forgery (SSRF) issue within the OpenStack Horizon dashboard interface. This flaw exists in multiple versions of the OpenStack dashboard software, specifically affecting releases prior to 15.3.2, 16.2.1, 18.3.3, and various 18.4.x and 18.5.x versions. The vulnerability stems from inadequate input validation of the "next" parameter that is commonly used in web applications for redirecting users after authentication or other operations. When users interact with the Horizon dashboard, they may encounter authentication flows that utilize this "next" parameter to determine where users should be redirected upon successful login or completion of specific actions.
The technical implementation of this vulnerability allows attackers to manipulate the "next" parameter value to include arbitrary URLs that will be processed as redirect targets without proper validation. This occurs because the Horizon application fails to sanitize or validate the input provided in the "next" parameter before using it in redirect operations. The flaw enables attackers to craft malicious URLs that could redirect authenticated users to phishing sites, malicious domains, or other attacker-controlled resources. This type of vulnerability falls under CWE-601 which specifically addresses URL redirect vulnerabilities and the potential for open redirect attacks that can be leveraged for social engineering campaigns.
The operational impact of this vulnerability extends beyond simple redirect manipulation and can enable sophisticated attack vectors including credential theft, malware distribution, and phishing campaigns. When authenticated users are redirected to malicious sites, attackers can exploit the trust relationship between the user and the legitimate Horizon instance to harvest credentials or deploy malicious payloads. The vulnerability particularly affects enterprise environments using OpenStack deployments where Horizon serves as the primary administrative interface, making it a prime target for attackers seeking to compromise cloud infrastructure access. This weakness can be exploited in conjunction with other techniques to establish persistent access or escalate privileges within the cloud environment.
Organizations should immediately implement mitigation strategies including upgrading to patched versions of Horizon, implementing strict validation of redirect parameters, and configuring proper input sanitization mechanisms. The recommended approach involves enforcing a whitelist of allowed redirect destinations or implementing strict URL validation that ensures redirect targets originate from trusted domains within the organization's infrastructure. Security teams should also consider implementing network-level controls and monitoring for suspicious redirect patterns. This vulnerability aligns with ATT&CK technique T1566 which covers social engineering tactics including phishing and spearphishing, and demonstrates how seemingly minor input validation flaws can create significant security risks in cloud management interfaces. The incident highlights the critical importance of validating all user-supplied input in web applications and implementing proper access controls to prevent unauthorized redirection that could compromise user sessions and organizational security posture.