Bug 1007482

Summary: CVE-2013-4181 ovirt-engine: RedirectServlet cross-site scripting flaw
Product: [Retired] oVirt Reporter: Petr Matousek <pmatouse>
Component: ovirt-engine-coreAssignee: Alexander Wels <awels>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, ecohen, iheim, mburns, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ux
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-23 07:26:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 988774    

Description Petr Matousek 2013-09-12 14:53:24 UTC
A cross-site scripting (XSS) flaw was found in the RedirectServlet of the oVirt Engine. A remote attacker could provide a specially-crafted link, that when visited by an unsuspecting oVirt user would lead to arbitrary script execution in the context of the oVirt domain.  Access to the RedirectServer does not require authentication.

Comment 1 Itamar Heim 2013-09-15 07:42:56 UTC
einav - this gerrit ID is for master.
for bug to be ON_QA it should be in the 3.3 branch (and have a build with it?

Comment 2 Einav Cohen 2013-09-16 17:20:08 UTC
(In reply to Itamar Heim from comment #1)
> einav - this gerrit ID is for master.
> for bug to be ON_QA it should be in the 3.3 branch (and have a build with it?

I haven't actually put it on ON_QA, nevertheless:
- patch has been merged to every possible branch, not only "master" (will update the External Tracker shortly)
- http://lists.ovirt.org/pipermail/users/2013-September/016268.html (3.2 Async announcement)
- http://lists.ovirt.org/pipermail/users/2013-September/016269.html (3.3 announcement)

Comment 3 Itamar Heim 2013-09-23 07:26:39 UTC
closing as this should be in 3.3 (doing so in bulk, so may be incorrect)