17094 SEC Fix XSS on SAML login screen

Escape links on the saml2 login error message, which is passed via the URL. CMK-18240 Change-Id: Id3903d8bb13c28ae59d03b5ccc68c4cba2c27bfb
Checkmk · Sep 19, 2024 · f56f395 · f56f395
1 parent 25aeb99
commit f56f395
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/.werks/17094 b/.werks/17094
@@ -0,0 +1,24 @@
+Title: Fix XSS on SAML login screen
+Class: security
+Compatible: compat
+Component: wato
+Date: 1725549833
+Edition: cee
+Level: 1
+Version: 2.2.0p34
+
+Prior to Werk, attackers could craft URLs that rendered clickable HTML links in the error box on the SAML login page.
+This could facilitate phishing attacks by tricking users into clicking malicious links.
+
+Links in the error message are now escaped and no longer clickable.
+
+This issue was identified during internal review.
+
+<em>Affected Versions</em>:
+
+LI: 2.3.0
+LI: 2.2.0
+
+<em>Vulnerability Management</em>:
+
+We have rated the issue with a CVSS Score of 5.1 Medium (<code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</code>) and assigned <code>CVE-2024-38860</code>.
diff --git a/cmk/gui/utils/login.py b/cmk/gui/utils/login.py
@@ -11,6 +11,7 @@
 from cmk.gui.http import request
 from cmk.gui.i18n import _
 from cmk.gui.userdb.type_defs import RelayState
+from cmk.gui.utils.escaping import escape_text
 from cmk.gui.utils.urls import makeuri_contextless
 from cmk.gui.utils.user_errors import user_errors
 
@@ -35,7 +36,9 @@ def show_saml2_login(
         saml_css_class = []
         html.close_div()
         if (
-            saml2_user_error := request.get_str_input("_saml2_user_error")
+            saml2_user_error := escape_text(
+                request.get_str_input("_saml2_user_error"), escape_links=True
+            )
         ) and request.get_str_input("_connection_id") == connection["id"]:
             user_errors.add(
                 MKUserError(