Back to bug 1373347
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Jeremy Choi | 2016-09-06 05:04:01 UTC | Blocks | 1373338 | |
| Martin Prpič | 2016-09-07 06:55:56 UTC | Whiteboard | impact=moderate,public=20160906,reported=20160906,source=redhat,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-598/CWE-352,bpms-6/dashbuilder=affected | impact=moderate,public=20160906,reported=20160906,source=redhat,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-352,bpms-6/dashbuilder=affected |
| Pavel Polischouk | 2016-10-18 20:20:00 UTC | Blocks | 1373338 | |
| Pavel Polischouk | 2016-10-18 20:22:02 UTC | Blocks | 1386400 | |
| Pavel Polischouk | 2016-10-18 22:03:41 UTC | Whiteboard | impact=moderate,public=20160906,reported=20160906,source=redhat,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-352,bpms-6/dashbuilder=affected | impact=moderate,public=20160906,reported=20160906,source=redhat,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-352,bpms-6/dashbuilder=affected,brms-6/dashbuilder=affected |
| Pavel Polischouk | 2016-10-18 22:03:48 UTC | CC | etirelli, kverlaen | |
| Pavel Polischouk | 2016-12-15 16:09:38 UTC | Whiteboard | impact=moderate,public=20160906,reported=20160906,source=redhat,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-352,bpms-6/dashbuilder=affected,brms-6/dashbuilder=affected | impact=moderate,public=20160906,reported=20160906,source=redhat,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-352,bpms-6/dashbuilder=affected,brms-6/dashbuilder=notaffected |
| David Gutierrez | 2016-12-29 13:13:45 UTC | CC | dgutierr | |
| Pavel Polischouk | 2017-03-01 22:55:03 UTC | Doc Text | It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, Referers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully. | |
| Doc Type | If docs needed, set a value | Bug Fix | ||
| Eric Christensen | 2017-03-02 18:32:59 UTC | Doc Text | It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, Referers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully. | It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, referrers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully. |
| Pavel Polischouk | 2017-03-06 20:01:53 UTC | Blocks | 1429673 | |
| Pavel Polischouk | 2017-03-16 21:30:17 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2017-03-16 17:30:17 UTC | |||
| Pavel Polischouk | 2017-07-11 18:16:36 UTC | Status | CLOSED | NEW |
| Resolution | ERRATA | --- | ||
| Keywords | Reopened | |||
| Pavel Polischouk | 2017-07-11 18:27:18 UTC | CC | felias, hchiorea, jolee, vhalbert | |
| Whiteboard | impact=moderate,public=20160906,reported=20160906,source=redhat,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-352,bpms-6/dashbuilder=affected,brms-6/dashbuilder=notaffected | impact=moderate,public=20160906,reported=20160906,source=redhat,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-352,bpms-6/dashbuilder=affected,brms-6/dashbuilder=notaffected,jdv-6/dashbuilder=affected | ||
| Pavel Polischouk | 2017-07-11 18:29:36 UTC | Summary | CVE-2016-7034 JBoss bpms: insecure handling CSRF token in dashbuilder | CVE-2016-7034 Dashbuilder: insecure handling of CSRF token |
| Pavel Polischouk | 2017-07-11 18:31:21 UTC | Depends On | 1469742, 1469743 | |
| Pavel Polischouk | 2017-12-05 22:31:07 UTC | Blocks | 1521173 | |
| PnT Account Manager | 2017-12-07 23:58:26 UTC | CC | felias | |
| PnT Account Manager | 2018-01-30 20:39:53 UTC | CC | hchiorea | |
| PnT Account Manager | 2018-05-10 18:17:55 UTC | CC | pavelp | |
| Chess Hazlett | 2018-08-07 15:14:32 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2017-03-16 17:30:17 UTC | 2018-08-07 11:14:32 UTC | ||
| Product Security DevOps Team | 2019-09-29 13:55:15 UTC | Whiteboard | impact=moderate,public=20160906,reported=20160906,source=redhat,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-352,bpms-6/dashbuilder=affected,brms-6/dashbuilder=notaffected,jdv-6/dashbuilder=affected |
Back to bug 1373347