Mirantis OpenStack

[OSSA-2017-003] XSS in federation mappings UI (CVE-2017-7400)

Bug #1680741 reported by Adam Heczko
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Confirmed
High
MOS Horizon
Mirantis OpenStack 10.0
8.0.x
Invalid
High
MOS Maintenance
Mirantis OpenStack 8.0-updates
9.x
Invalid
High
MOS Maintenance
Mirantis OpenStack 9.x-updates

Bug Description

Detailed bug description:
Eric Brown from VMware reported a vulnerability in Horizon. By creating a malicious federation mapping, an adminstrator may conduct a persistent XSS attack. All Horizon setups are affected.

LP reference:
https://launchpad.net/bugs/1667086

Fix for pike:
https://review.openstack.org/442277

Fix for ocata:
https://review.openstack.org/442453

Fix for newton:
https://review.openstack.org/442454

Fix for mitaka:
https://review.openstack.org/442455

Denis Meltsaykin (dmeltsaykin)
Changed in mos:
assignee: nobody → MOS Horizon (mos-horizon)
status: New → Confirmed
Revision history for this message
Vladislav Kuzmin (vkuzmin-u) wrote :

For MOS 9 patch placed here -- https://review.fuel-infra.org/gitweb?p=openstack/horizon.git;a=commit;h=ce80bb6fec3cb0262728e7ae8b9d695cf832e5bf

For MOS 10 patch on on review -- https://review.fuel-infra.org/#/c/32924/

Revision history for this message
Vladislav Kuzmin (vkuzmin-u) wrote :

Commit merged for MOS 10 -- https://review.fuel-infra.org/gitweb?p=openstack/horizon.git;a=commit;h=8553409c2728b2ef851bdf7161fece820c13a662

Revision history for this message
Sergii Rizvan (srizvan) wrote :

This bug is Invalid for 8.0, because federation mappings in Horizon was implemented since Mitaka release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.