Vulnerability Description
Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the "next" parameter which then redirects to any domain irrespective of the Host header.
CVSS Score
6.1
MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netflix | Security Monkey | <= 0.7.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/97088
- https://github.com/Netflix/security_monkey/commit/3b4da13efabb05970c80f464a50d3cPatchThird Party Advisory
- https://github.com/Netflix/security_monkey/pull/482Third Party Advisory
- https://github.com/Netflix/security_monkey/releases/tag/v0.8.0Release NotesThird Party Advisory
- http://www.securityfocus.com/bid/97088
- https://github.com/Netflix/security_monkey/commit/3b4da13efabb05970c80f464a50d3cPatchThird Party Advisory
- https://github.com/Netflix/security_monkey/pull/482Third Party Advisory
- https://github.com/Netflix/security_monkey/releases/tag/v0.8.0Release NotesThird Party Advisory
FAQ
What is CVE-2017-7266?
CVE-2017-7266 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the "next" parameter which then redirects to any domain irrespective of the Host header.
How severe is CVE-2017-7266?
CVE-2017-7266 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7266?
Check the references section above for vendor advisories and patch information. Affected products include: Netflix Security Monkey.