Comment 8 for bug 1409142
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: Websocket Hijacking Vulnerability in Nova VNC Server | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Can the patch be re-formatted to include commit message ?
Also about affected version, I guess it goes back to stable/icehouse, thus backports for Juno and Icehouse are required as well...
Finally the report only mention VNC console, but SPICE seems affected as well right ?
Here is impact description draft #1:
Title: Nova console Cross-Site WebSocket hijacking
Reporter: Brian Manifold (Cisco)
Products: Nova
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1
Description:
Brian Manifold from Cisco reported a vulnerability in Nova console websocket. By tricking an authenticated user into clicking a malicious URL, a remote attacker may trigger a cross-site-