NVD Vulnerability Detail

CVE-2021-32645

Summary	Tenancy multi-tenant is an open source multi-domain controller for the Laravel web framework. In some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL. This is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have `force_https` set to `true` (default: `false`). Version 5.7.2 contains the relevant patches to fix this bug. Stripping the URL from special characters to prevent specially crafted URL's from being redirected to. As a work around users can set the `force_https` to every tenant to `false`, however this may degrade connection security.
Publication Date	May 28, 2021, 2:15 a.m.
Registration Date	May 28, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 3:07 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:tenancy:multi-tenant::::::::		5.6.0			5.7.2

Related information, measures and tools

No	URL	タグ
1	https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164	Patch Third Party Advisory
2	https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164	Patch Third Party Advisory
3	https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6	Mitigation Third Party Advisory
4	https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6	Mitigation Third Party Advisory
5	https://packagist.org/packages/hyn/multi-tenant	Product Third Party Advisory
6	https://packagist.org/packages/hyn/multi-tenant	Product Third Party Advisory
7	https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html	Third Party Advisory
8	https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html	Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Laravel Web フレームワーク用 Tenancy multi-tenant におけるオープンリダイレクトの脆弱性

Title	Laravel Web フレームワーク用 Tenancy multi-tenant におけるオープンリダイレクトの脆弱性
Summary	Laravel Web フレームワーク用 Tenancy multi-tenant には、オープンリダイレクトの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 27, 2021, midnight
Registration Date	Feb. 14, 2022, 4:26 p.m.
Last Update	Feb. 14, 2022, 4:26 p.m.

Affected System

Tenancy

multi-tenant 5.7.2 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-32645	https://www.cve.org/CVERecord?id=CVE-2021-32645
National Vulnerability Database (NVD)
2	CVE-2021-32645	https://nvd.nist.gov/vuln/detail/CVE-2021-32645

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-601	https://cwe.mitre.org/data/definitions/601.html

ベンダー情報

No	Name	URL
GitHub
1	Open Redirect	https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6
2	Trim slashes from request uri before redirecting (#1001)	https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164
Packagist
3	hyn/multi-tenant	https://packagist.org/packages/hyn/multi-tenant

Change Log

No	Changed Details	Date of change
1	[2022年02月14日] 掲載	Feb. 14, 2022, 4:26 p.m.