Backport the fix for Horizon CVE-2016-4428 vulnerability (OSSA-2016-010)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mirantis OpenStack |
Fix Released
|
Critical
|
Timur Sufiev | ||
| 7.0.x |
Fix Committed
|
Critical
|
Denis Meltsaykin | ||
| 8.0.x |
Fix Released
|
Critical
|
Alex Ermolov | ||
| 9.x |
Fix Released
|
Critical
|
Timur Sufiev | ||
Bug Description
This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.
Title: XSS in Horizon client side template
Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
Products: Horizon
Affects: <=8.0.1, >=9.0.0 <=9.0.1
Description:
Beth Lancaster and Brandon Sawyers from Virginia Tech reported a
vulnerability in Horizon. By injecting Angularjs template in dashboard
forms, such as image's description, an authenticated user may trigger a
cross-site-
affected pages. It may result in potential assets theft like user access
credentials. All Horizon setups are affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/liberty, stable/mitaka and master/newton on the
public disclosure date.
CVE: CVE-2016-4428
Proposed public disclosure date/time:
2016-06-15, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.
CVE References
| tags: | added: area-horizon |
| Changed in mos: | |
| assignee: | nobody → Timur Sufiev (tsufiev-x) |
| Timur Sufiev (tsufiev-x) wrote | #1 |
| Dina Belova (dbelova) wrote | #2 |
| tags: | added: feature-security |
| tags: | added: on-verification |
| Sergei Chipiga (schipiga) wrote | #3 |
| information type: | Private Security → Public Security |
| Fuel Devops McRobotson (fuel-devops-robot) wrote Fix proposed to openstack/horizon (11.0/ocata) | #4 |
| Fuel Devops McRobotson (fuel-devops-robot) wrote Fix proposed to openstack/horizon (mcp/newton) | #5 |
| Fuel Devops McRobotson (fuel-devops-robot) wrote Fix proposed to openstack/horizon (mcp/ocata) | #6 |
| Fuel Devops McRobotson (fuel-devops-robot) wrote Change abandoned on openstack/horizon (11.0/ocata) | #7 |
| Fuel Devops McRobotson (fuel-devops-robot) wrote Change abandoned on openstack/horizon (mcp/ocata) | #8 |
| Fuel Devops McRobotson (fuel-devops-robot) wrote Change abandoned on openstack/horizon (mcp/newton) | #9 |
| summary: |
- Backport the fix for Horizon CVE-2016-4428 vulnerability + Backport the fix for Horizon CVE-2016-4428 vulnerability (OSSA-2016-010) |
| Denis Meltsaykin (dmeltsaykin) wrote | #10 |
The patch being backported to 9.0/mitaka branch is here: https:/