Back to bug 2214237
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Sandipan Roy | 2023-06-12 10:35:21 UTC | CC | amctagga, muagarwa, nbecker, nobody, ocs-bugs, tnielsen | |
| Sandipan Roy | 2023-06-12 10:43:31 UTC | CC | dfreiber, jburrell, rogbas, vkumar | |
| Sandipan Roy | 2023-06-12 10:47:49 UTC | Alias | TRIAGE-CVE-2023-2121 | CVE-2023-2121 |
| Sandipan Roy | 2023-06-12 10:48:06 UTC | Blocks | 2213897 | |
| Sandipan Roy | 2023-06-12 10:48:52 UTC | Priority | low | high |
| Severity | low | high | ||
| Avinash Hanwate | 2023-06-12 11:47:29 UTC | Priority | high | medium |
| Severity | high | medium | ||
| Sandipan Roy | 2023-06-12 11:52:09 UTC | Summary | TRIAGE-CVE-2023-2121 hashicorp: html injection into web ui | CVE-2023-2121 hashicorp: html injection into web ui |
| Avinash Hanwate | 2023-06-13 06:22:47 UTC | Doc Text | HashiCorp Vault and Vault Enterprise are vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the key-value v2 (kv-v2) diff viewer. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | |
| Fixed In Version | vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11 | |||
| Avinash Hanwate | 2023-06-13 06:24:02 UTC | Depends On | 2214480, 2214485, 2214482, 2214487, 2214484, 2214483, 2214481, 2214486 | |
| Avinash Hanwate | 2023-06-13 06:24:57 UTC | Fixed In Version | vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11 | vault 1.14.0, vault 1.13.3, vault 1.12.7, vault 1.11.11 |
| Avinash Hanwate | 2023-06-13 06:25:58 UTC | Doc Text | HashiCorp Vault and Vault Enterprise are vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the key-value v2 (kv-v2) diff viewer. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | HashiCorp Vault and Vault Enterprise are vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the key-value v2 (kv-v2) diff viewer. A remote, authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
| RaTasha Tillery-Smith | 2023-06-13 11:53:34 UTC | Doc Text | HashiCorp Vault and Vault Enterprise are vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the key-value v2 (kv-v2) diff viewer. A remote, authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | A flaw was found in HashiCorp Vault and Vault Enterprise, where they are vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the key-value v2 (kv-v2) diff viewer. A remote, authenticated attacker can inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. This flaw allows an attacker to steal the victim's cookie-based authentication credentials. |
| Red Hat Bugzilla | 2023-07-07 08:32:53 UTC | Assignee | security-response-team | nobody |
| Red Hat Bugzilla | 2023-08-03 08:28:37 UTC | CC | ocs-bugs |
Back to bug 2214237