Bugzilla – Bug 988935
VUL-0: CVE-2016-6519: openstack-manila: Persistent XSS in Metadata field
Last modified: 2017-10-13 14:04:13 UTC
Created attachment 684261 [details] fix provided upstream
bugbot adjusting priority
CVE-2016-6519 was assigned by MITRE.
Submission is: https://build.suse.de/request/show/119584
Draft advisory, asking upstream if that is okay... CRD: to be determined... CVE-2016-6519: OpenStack manila-ui: Persistent XSS in Metadata field It was discovered that the Metadata field in the "Create Share" form allows users to inject malicious HTML/JavaScript code that will be reflected in the "Shares" overview. The issue comes from a mark_safe() call on the user supplied metadata. https://github.com/openstack/manila-ui/blob/d5fe23e4ba30846acdd09fa1dc61a415016a7e26/manila_ui/dashboards/project/shares/shares/tabs.py#L49 Remote, authenticated, but unprivileged users could exploit this vulnerability to escalate privileges by stealing session cookies. Due to the size limitation of metadata strings the malicious payload needs to be split over multiple keys. In order to reproduce this issue, in Horizon, go to Project -> Compute -> Shares -> Create Share. In the Metadata field, add the following payload: a=<script>alert("test")/* b=*/<script> As soon as the share is created, the payload is reflected in the browser. It will also be reflected each time the Shares list will be loaded (e.g. by clicking on Project -> Compute -> Shares). The issue was discovered by Niklaus Schiess, the fix was provided Valeriy Ponomaryov. MITRE assigned CVE-2016-6519 to this issue. The upstream bug is https://bugs.launchpad.net/manila-ui/+bug/1597738 The SUSE bug is https://bugzilla.suse.com/show_bug.cgi?id=988935 SUSE's evaluation has a CVSS base score 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
ping - any updates here? Any release date available?
did you get any emails? andreas is on vacation still, we did not get any on the security lists at least.
(In reply to Marcus Meissner from comment #13) > did you get any emails? andreas is on vacation still, we did not get any on > the security lists at least. No. I pinged the upstream PTL now in the launchpad bug and on irc...
Confirmed release date is now 2016-09-07 12:00 UTC (see https://bugs.launchpad.net/manila-ui/+bug/1597738 ). @meissner : Is that enough to continue with that? Or do you need anything else from upstream?
I think thats it. I set the CRD in the update we have queued.
CRD: 2017-09-07 12:00 UTC
CRD: 2016-09-07 12:00 UTC
- Have we released the update for Cloud6 today? - Is the bug now public?
made public.
(In reply to Marcus Meissner from comment #24) > made public. I'm struggling to find a manila update in the SC6 repos... has anything been released, yet? Also https://bugs.launchpad.net/manila-ui/+bug/1597738 is not yet accessible publicly. alex
Ouw own update is still in QA with our QA team. I emailed the author too who is in control of the launchpad bug.
Releasing update.
SUSE-SU-2016:2457-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 988935 CVE References: CVE-2016-6519 Sources used: SUSE OpenStack Cloud 6 (src): openstack-horizon-plugin-manila-ui-1.2.1~a0~dev2-3.1