CVE-2021-23495
Open Redirect vulnerability in karma (npm)
What is CVE-2021-23495 About?
Karma before 6.3.16 is vulnerable to Open Redirect due to insufficient validation of the `return_url` query parameter. This allows attackers to redirect users to arbitrary malicious websites. Exploitation is easy, requiring only a crafted URL.
Affected Software
Technical Details
The vulnerability exists in Karma versions prior to 6.3.16, specifically concerning the handling of the return_url query parameter. When a user authenticates or completes an action, the application might use this parameter to redirect them back to a specified page. However, Karma's implementation lacks proper validation or sanitization of this parameter, meaning an attacker can supply an arbitrary external URL in return_url. This allows the attacker to craft a malicious link that, when clicked by a victim, redirects them through the legitimate Karma application to an attacker-controlled website after a legitimate action, facilitating phishing attacks or further exploitation.
What is the Impact of CVE-2021-23495?
Successful exploitation may allow attackers to redirect users to malicious websites, leading to phishing attacks, credential harvesting, malware distribution, or other browser-based attacks.
What is the Exploitability of CVE-2021-23495?
Exploitation is of low complexity. An attacker needs to craft a URL containing a malicious return_url parameter and entice a victim to click it. This is typically a remote attack delivered via phishing emails, malicious websites, or social engineering. No authentication or specific privileges are required on the Karma server itself for the redirection to occur, only the victim's interaction with the malicious link. The prerequisite is that the Karma application must be accessible to users and use the return_url parameter unsafely. The risk is significantly increased by the prevalence of phishing and the general trust users place in legitimate domain names facilitating redirection.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23495?
Available Upgrade Options
- karma
- <6.3.16 → Upgrade to 6.3.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/karma-runner/karma/commit/ff7edbb2ffbcdd69761bece86b7dc1ef0740508d
- https://snyk.io/vuln/SNYK-JS-KARMA-2396325
- https://nvd.nist.gov/vuln/detail/CVE-2021-23495
- https://github.com/karma-runner/karma
- https://snyk.io/vuln/SNYK-JS-KARMA-2396325
- https://osv.dev/vulnerability/GHSA-rc3x-jf5g-xvc5
- https://github.com/karma-runner/karma/commit/ff7edbb2ffbcdd69761bece86b7dc1ef0740508d
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2412347
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2412347
What are Similar Vulnerabilities to CVE-2021-23495?
Similar Vulnerabilities: CVE-2020-26233 , CVE-2019-18340 , CVE-2020-8174 , CVE-2020-13777 , CVE-2019-10757
