CVE-2021-3654

Vulnerability

An open redirect vulnerability exists in OpenStack Nova's console proxy, noVNC, due to improper handling of specially crafted URLs. The issue resides in the WebSockifyRequestHandler, which extends Python's http.server.SimpleHTTPRequestHandler. Certain malformed paths can cause the proxy to return a 301 redirect to an attacker-controlled destination. This affects Nova versions prior to 21.2.3, 22.0.0 through 22.2.2, and 23.0.0 through 23.0.1 [1][4].

Exploitation

An attacker can craft a malicious URL that, when visited by a user (e.g., via a phishing link), causes the noVNC proxy to issue an HTTP redirect to an arbitrary external site. No authentication or special network position is required; the attacker only needs to convince a user to click the crafted URL [3][4]. The redirect is based on the same underlying behavior as Python's SimpleHTTPRequestHandler, which can redirect to URLs beginning with // [2].

Impact

Successful exploitation allows an attacker to redirect users to any untrusted site, enabling phishing or other social engineering attacks. This is a confidentiality and integrity impact—users may be tricked into disclosing credentials or visiting malicious content. The compromise is limited to redirection; the attacker does not gain control of the Nova service or the underlying system [1][4].

Mitigation

Updates are available to fix the vulnerability. Nova administrators should upgrade to version 21.2.3 (for Stein), 22.2.3 (for Train/Ussuri), or 23.0.2 (for Victoria) as appropriate [3][4]. No workarounds are documented for unpatched deployments. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.