OpenCTI Open Redirect Vulnerability in SAML Authentication Endpoint

A moderate open redirect vulnerability has been identified in the OpenCTI platform's SAML authentication callback endpoint, prior to version 6.8.3. By manipulating the RelayState parameter, attackers can induce the server to perform a 302 redirect to any external URL. This exploitation could lead to phishing attacks, credential theft, and unauthorized redirection to arbitrary sites. The vulnerability arises from a lack of proper validation or sanitization of user-supplied URLs in the RelayState parameter, allowing attackers to craft malicious URLs that redirect users from the trusted OpenCTI domain to attacker-controlled sites.

Impact

Exploitation of this vulnerability undermines the integrity of the authentication process, allowing for phishing and social engineering attacks that could result in credential theft or the distribution of malware.

Reproduction

To reproduce this vulnerability, send a request to the OpenCTI SAML authentication callback endpoint (/auth/saml/callback) with a manipulated RelayState parameter that includes an external URL. The server will respond with a 302 redirect to the specified URL, bypassing any validation or security checks.

Remediation

Users can upgrade to OpenCTI version 6.8.3 or later, where this vulnerability has been patched.