CVE-2021-3654

Description

A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.

How to fix CVE-2021-3654

To remediate CVE-2021-3654, upgrade the affected package to a fixed version below.

• Debian/nova—no fix listed
• PyPI/nova—upgrade to 21.2.3 or later

Is CVE-2021-3654 being exploited?

Likely — EPSS is 87.2%, placing CVE-2021-3654 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

• from 0
• from 0, < 21.2.3

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3654
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-3654
• PATCHopendev.org/openstack/nova
• WEBbugs.launchpad.net/nova/+bug/1927677
• WEBbugs.python.org/issue32084