Bug 1197769 (CVE-2015-0298)
Summary: | CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | Michal Karm Babacek <mbabacek> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aileenc, alazarot, asantos, aszczucz, bbaranow, bdawidow, bmaxwell, bperkins, brms-jira, cdewolf, chazlett, dandread, darran.lofthouse, epp-bugs, etirelli, fnasser, gvarsami, huwang, jawilson, jboss-set, jbpapp-maint, jclere, jcoleman, jdg-bugs, jdoyle, jolee, jpallich, kconner, ldimaggi, lgao, lpetrovi, mbabacek, mbaluch, mgoldman, mweiler, mwinkler, myarboro, nwallace, pgier, psakar, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, security-response-team, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A flaw was found in the way the mod_cluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the mod_cluster manager web interface.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:39:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1197186, 1238180, 1245614, 1260483, 1260484 | ||
Bug Blocks: | 1197776, 1254231 |
Description
Vasyl Kaigorodov
2015-03-02 15:01:44 UTC
Ad Comment 0: [1] https://issues.jboss.org/secure/attachment/12388047/12388047_MODCLUSTER-453_master-better_one.patch removing embargo due to patch has been included in EAP 6.4. This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2015:1641 https://rhn.redhat.com/errata/RHSA-2015-1641.html This issue has been addressed in the following products: JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 5 Via RHSA-2015:1642 https://rhn.redhat.com/errata/RHSA-2015-1642.html |