| 2015-05-08 10:03:19 |
Nikita Konovalov |
bug |
|
|
added bug |
| 2015-05-08 11:26:09 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
| 2015-05-08 11:26:16 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2015-05-08 11:27:08 |
Tristan Cacqueray |
description |
The Field class help_text attribute is vulnerable to code injection if the text is somehow taken from the user input.
Heat UI allows to create stacks from the user input which define parameters. Those parameters are then converted to the input field which are vulnerable.
The heat stack example exploit:
description: Does not matter
heat_template_version: '2013-05-23'
outputs: {}
parameters:
param1:
type: string
label: normal_label
description: hack="><script>alert('YOUR HORIZON IS PWNED')</script>"
resources: {} |
--
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
The Field class help_text attribute is vulnerable to code injection if the text is somehow taken from the user input.
Heat UI allows to create stacks from the user input which define parameters. Those parameters are then converted to the input field which are vulnerable.
The heat stack example exploit:
description: Does not matter
heat_template_version: '2013-05-23'
outputs: {}
parameters:
param1:
type: string
label: normal_label
description: hack="><script>alert('YOUR HORIZON IS PWNED')</script>"
resources: {} |
|
| 2015-05-08 11:28:00 |
Tristan Cacqueray |
bug |
|
|
added subscriber Lin Hua Cheng |
| 2015-05-11 14:14:05 |
Thierry Carrez |
ossa: importance |
Undecided |
Medium |
|
| 2015-05-11 14:14:05 |
Thierry Carrez |
ossa: status |
Incomplete |
Confirmed |
|
| 2015-05-12 21:24:48 |
Tristan Cacqueray |
ossa: status |
Confirmed |
Triaged |
|
| 2015-06-01 14:04:17 |
Tristan Cacqueray |
bug |
|
|
added subscriber Horizon Core security contacts |
| 2015-06-01 23:54:01 |
Lin Hua Cheng |
horizon: assignee |
|
Lin Hua Cheng (lin-hua-cheng) |
|
| 2015-06-01 23:54:12 |
Lin Hua Cheng |
horizon: status |
New |
Triaged |
|
| 2015-06-01 23:54:15 |
Lin Hua Cheng |
horizon: importance |
Undecided |
Medium |
|
| 2015-06-02 01:00:54 |
Lin Hua Cheng |
attachment added |
|
escape-descrip-field.patch https://bugs.launchpad.net/horizon/+bug/1453074/+attachment/4408363/+files/escape-descrip-field.patch |
|
| 2015-06-03 19:29:52 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
| 2015-06-03 19:32:57 |
Tristan Cacqueray |
ossa: status |
Triaged |
In Progress |
|
| 2015-06-03 20:09:54 |
Lin Hua Cheng |
horizon: status |
Triaged |
In Progress |
|
| 2015-06-03 20:33:57 |
Tristan Cacqueray |
summary |
help_text parameter of fields is vulnerable to arbitrary html injection |
help_text parameter of fields is vulnerable to arbitrary html injection (CVE-2015-3219) |
|
| 2015-06-03 20:34:03 |
Tristan Cacqueray |
cve linked |
|
2015-3219 |
|
| 2015-06-04 19:43:45 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
| 2015-06-09 17:15:53 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
| 2015-06-09 17:16:04 |
Tristan Cacqueray |
description |
--
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
The Field class help_text attribute is vulnerable to code injection if the text is somehow taken from the user input.
Heat UI allows to create stacks from the user input which define parameters. Those parameters are then converted to the input field which are vulnerable.
The heat stack example exploit:
description: Does not matter
heat_template_version: '2013-05-23'
outputs: {}
parameters:
param1:
type: string
label: normal_label
description: hack="><script>alert('YOUR HORIZON IS PWNED')</script>"
resources: {} |
The Field class help_text attribute is vulnerable to code injection if the text is somehow taken from the user input.
Heat UI allows to create stacks from the user input which define parameters. Those parameters are then converted to the input field which are vulnerable.
The heat stack example exploit:
description: Does not matter
heat_template_version: '2013-05-23'
outputs: {}
parameters:
param1:
type: string
label: normal_label
description: hack="><script>alert('YOUR HORIZON IS PWNED')</script>"
resources: {} |
|
| 2015-06-09 17:16:42 |
OpenStack Infra |
horizon: assignee |
Lin Hua Cheng (lin-hua-cheng) |
Tristan Cacqueray (tristan-cacqueray) |
|
| 2015-06-09 17:23:06 |
Tristan Cacqueray |
summary |
help_text parameter of fields is vulnerable to arbitrary html injection (CVE-2015-3219) |
[OSSA 2015-010] help_text parameter of fields is vulnerable to arbitrary html injection (CVE-2015-3219) |
|
| 2015-06-09 17:43:39 |
OpenStack Infra |
horizon: assignee |
Tristan Cacqueray (tristan-cacqueray) |
Lin Hua Cheng (lin-hua-cheng) |
|
| 2015-06-09 23:12:37 |
OpenStack Infra |
tags |
heat |
heat in-stable-kilo |
|
| 2015-06-09 23:12:48 |
OpenStack Infra |
tags |
heat in-stable-kilo |
heat in-stable-juno in-stable-kilo |
|
| 2015-06-10 01:39:29 |
OpenStack Infra |
horizon: status |
In Progress |
Fix Committed |
|
| 2015-06-10 15:51:02 |
Rob Cresswell |
horizon: milestone |
|
liberty-1 |
|
| 2015-06-10 16:00:43 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
| 2015-06-23 21:58:52 |
Doug Hellmann |
horizon: status |
Fix Committed |
Fix Released |
|
| 2015-07-23 21:29:10 |
Alan Pevec |
nominated for series |
|
horizon/kilo |
|
| 2015-07-23 21:29:11 |
Alan Pevec |
bug task added |
|
horizon/kilo |
|
| 2015-07-23 21:55:58 |
Alan Pevec |
horizon/kilo: status |
New |
Fix Committed |
|
| 2015-07-23 21:55:58 |
Alan Pevec |
horizon/kilo: milestone |
|
2015.1.1 |
|
| 2015-07-29 21:45:09 |
Alan Pevec |
horizon/kilo: status |
Fix Committed |
Fix Released |
|
| 2015-10-15 11:14:44 |
Thierry Carrez |
horizon: milestone |
liberty-1 |
8.0.0 |
|
| 2015-11-14 10:33:11 |
Alan Pevec |
nominated for series |
|
horizon/juno |
|
| 2015-11-14 10:33:12 |
Alan Pevec |
bug task added |
|
horizon/juno |
|
| 2015-11-14 15:05:55 |
Alan Pevec |
horizon/juno: status |
New |
Fix Committed |
|
| 2015-11-14 15:05:55 |
Alan Pevec |
horizon/juno: milestone |
|
2014.2.4 |
|
| 2015-11-17 13:58:24 |
Alan Pevec |
horizon/juno: importance |
Undecided |
Medium |
|
| 2015-11-17 13:58:43 |
Alan Pevec |
horizon/kilo: importance |
Undecided |
Medium |
|
| 2015-11-17 13:59:07 |
Alan Pevec |
tags |
heat in-stable-juno in-stable-kilo |
heat |
|
| 2015-11-17 14:00:58 |
Alan Pevec |
horizon/juno: assignee |
|
Lin Hua Cheng (lin-hua-cheng) |
|
| 2015-11-17 14:01:03 |
Alan Pevec |
horizon/kilo: assignee |
|
Lin Hua Cheng (lin-hua-cheng) |
|
| 2015-11-19 21:42:46 |
Alan Pevec |
horizon/juno: status |
Fix Committed |
Fix Released |
|
