CVE-2017-16652: URL Redirection to Untrusted Site (Open Redirect)

June 13, 2018 (updated March 13, 2019)

DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.

References

symfony.com/cve-2017-16652

Code Behaviors & Features

Detect and mitigate CVE-2017-16652 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →