CVE-2024-25715: 
Linux Debian vulnerability analysis and mitigation

Glewlwyd SSO server versions 2.x through 2.7.6 contains an open redirection vulnerability (CVE-2024-25715) that allows attackers to perform open redirection attacks via the redirect_uri parameter. The vulnerability was discovered and disclosed in February 2024, affecting all versions of the Glewlwyd SSO server from version 2.0.0 up to and including version 2.7.6 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impacts on both confidentiality and integrity, and no impact on availability (NVD).

The vulnerability allows attackers to redirect users to arbitrary URLs through manipulation of the redirect_uri parameter. This could potentially be used in phishing attacks or to redirect users to malicious websites, compromising user security and potentially leading to credential theft or other social engineering attacks (NVD).

The issue has been addressed in multiple patches. Users should upgrade to fixed versions where available. For Debian systems, version 2.7.5-3+deb12u1 in bookworm and 2.7.6+ds-2 in sid/trixie contain the fixes. The patches implement proper validation of redirect URIs to prevent open redirection attacks (Debian Tracker).