CVE-2021-3654: 
Python vulnerability analysis and mitigation

A vulnerability (CVE-2021-3654) was discovered in OpenStack Nova's console proxy, noVNC. The vulnerability was reported by the Monash University Cyber Security team and disclosed on July 29, 2021. The issue affected Nova versions <21.2.3, >=22.0.0 <22.2.3, and >=23.0.0 <23.0.3. The vulnerability allowed attackers to craft malicious URLs that could redirect users to arbitrary websites (OpenStack OSSA).

The vulnerability stemmed from a known issue in Python's standard library http.server.SimpleHTTPRequestHandler, which noVNC's WebSockifyRequestHandler inherits from. By using a specially crafted URL format like 'http://vncproxy.my.domain.com//example.com/%2F..', an attacker could cause the server to redirect to arbitrary destinations. The issue was particularly concerning because the server name in the modified link remained identical to the original site (Python Bug, Launchpad Bug).

The vulnerability could be exploited for phishing attempts. By modifying untrusted URL input to a malicious site, an attacker could potentially launch phishing scams to steal user credentials. The attack was particularly effective because the server name in the modified link remained identical to the original site, making phishing attempts appear more trustworthy (Red Hat CVE).

The vulnerability was patched in Nova versions 21.2.3, 22.3.0, and 23.1.0. The fix involved implementing changes to reject requests that pass a redirection URL beginning with '//' by returning a 400 Bad Request error. Multiple patches were released for different versions including Train, Ussuri, Victoria, Wallaby, and Xena branches (Nova Commit, Nova Commit).