)]}'
{"ossa/OSSA-2021-002.yaml":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"4566b602c04448c755afe8ba6c0029907d5e47e0","unresolved":true,"context_lines":[{"line_number":10,"context_line":"  implementation which exposed access to a well-known redirect behavior in the"},{"line_number":11,"context_line":"  Python standard library\u0027s http.server.SimpleHTTPRequestHandler and thus"},{"line_number":12,"context_line":"  noVNC\u0027s WebSockifyRequestHandler which uses it. By convincing an"},{"line_number":13,"context_line":"  authenticated user to follow a specially-crafted novncproxy URL, the user"},{"line_number":14,"context_line":"  could be redirected to an unrelated site under control of the attacker where"},{"line_number":15,"context_line":"  they might be convinced to divulge credentials or other sensitive data. All"},{"line_number":16,"context_line":"  Nova deployments with novncproxy enabled are affected."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"3b66bc3a_f33facbe","line":13,"range":{"start_line":13,"start_character":2,"end_line":13,"end_character":15},"updated":"2021-07-28 16:36:28.000000000","message":"FWIW this occurs without a user having been authenticated, that is, the redirect occurs before any authentication step is reached.","commit_id":"819ccd61d8c3ba6589a5b55988021f442c9831d9"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"d25362d4334980d8de1e665f96fff9ffe0d1ab84","unresolved":false,"context_lines":[{"line_number":10,"context_line":"  implementation which exposed access to a well-known redirect behavior in the"},{"line_number":11,"context_line":"  Python standard library\u0027s http.server.SimpleHTTPRequestHandler and thus"},{"line_number":12,"context_line":"  noVNC\u0027s WebSockifyRequestHandler which uses it. By convincing an"},{"line_number":13,"context_line":"  authenticated user to follow a specially-crafted novncproxy URL, the user"},{"line_number":14,"context_line":"  could be redirected to an unrelated site under control of the attacker where"},{"line_number":15,"context_line":"  they might be convinced to divulge credentials or other sensitive data. All"},{"line_number":16,"context_line":"  Nova deployments with novncproxy enabled are affected."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"51c624f1_088fd680","line":13,"updated":"2021-07-28 16:49:42.000000000","message":"Thanks, I wasn\u0027t completely sure. Will fix.","commit_id":"819ccd61d8c3ba6589a5b55988021f442c9831d9"}]}