Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Oct 2015 01:36:05 +0000
From: Yusaku Sako <yusaku@...tonworks.com>
To: Mark Kerzner <mark@...phantscale.com>, Yosef Kerzner <ykerzner@...il.com>,
	"user@...ari.apache.org" <user@...ari.apache.org>, "dev@...ari.apache.org"
	<dev@...ari.apache.org>, "security@...che.org" <security@...che.org>,
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [CVE-2015-3186] Apache Ambari XSS vulnerability

Adding the correct user@...ari.apache.org list.

Yusaku

From: Yusaku Sako
Date: Monday, October 12, 2015 at 6:34 PM
To: Mark Kerzner, Yosef Kerzner, "users@...ari.apache.org<mailto:users@...ari.apache.org>", "dev@...ari.apache.org<mailto:dev@...ari.apache.org>", "security@...che.org<mailto:security@...che.org>", "oss-security@...ts.openwall.com<mailto:oss-security@...ts.openwall.com>", "bugtraq@...urityfocus.com<mailto:bugtraq@...urityfocus.com>"
Subject: [CVE-2015-3186] Apache Ambari XSS vulnerability


CVE-2015-3186: Apache Ambari XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.7.0 to 2.0.2

Versions Fixed: 2.1.0

Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving configuration changes. This note field is rendered as is (unescaped HTML).  This exposes opportunities for XSS.

Mitigation: Ambari users should upgrade to version 2.1.0 or above.

Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.

Credit: Hacker Y on the Elephant Scale team.

References: https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ