Miggo Logo

CVE-2021-23495: Open redirect in karma

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.47481%
Published
2/26/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
karmanpm< 6.3.166.3.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient validation of the return_url parameter. The pre-patch code in client/karma.js and static/karma.js only checked if return_url started with http:// or https:// via a regex (/^https?:///). This allowed attackers to specify any external domain in return_url (e.g., http://attacker.com), resulting in an open redirect. The patch replaced this check with configurable regex patterns (allowedReturnUrlPatterns), demonstrating that the original validation was inadequate. The functions handling this logic in both files are directly responsible for the insecure redirect.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

K*rm* ***or* *.*.** is vuln*r**l* to Op*n R**ir**t *u* to missin* v*li**tion o* t** r*turn_url qu*ry p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt v*li**tion o* t** r*turn_url p*r*m*t*r. T** pr*-p*t** *o** in *li*nt/k*rm*.js *n* st*ti*/k*rm*.js only ****k** i* r*turn_url st*rt** wit* *ttp:// or *ttps:// vi* * r***x (/^*ttps?:\/\//). T*is *llow** *tt**k*