CVE-2022-26158

Vulnerability

The web application in Cherwell Service Management (CSM) version 10.2.3 accepts and reflects arbitrary domain values supplied via a client-controlled Host header. The application does not validate the Host header before using it in a redirect response, which allows an attacker to inject a malicious URL. This bug is present in CSM 10.2.3 and earlier versions [1][2].

Exploitation

An attacker first identifies a vulnerable instance of CSM 10.2.3. The attacker then crafts an HTTP request to that instance, setting the Host header to a malicious URL (e.g., Host: attacker.example.com). The server processes this request and responds with a 302 redirect to the attacker-controlled domain. No special authentication or network position is required; the vulnerability can be exploited remotely by sending a single HTTP request to any accessible CSM endpoint [2].

Impact

A successful attack results in an open redirect. The victim's browser (when processing the 302 response) is redirected to the attacker-controlled page, which may be used for phishing, credential harvesting, or malware distribution. The integrity of legitimate CSM sessions or data is not directly compromised, but the trust users place in the CSM domain is abused to redirect them to malicious sites [2].

Mitigation

The issue is fixed in Cherwell Service Management version 10.4.0, released in 2022. Administrators should upgrade to CSM 10.4.0 or later [1]. There is no information about this CVE being listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. If upgrading is not immediately possible, network-level filtering of unusual Host headers may provide a partial workaround.