Bug 1228534 (CVE-2015-3219)

Summary: CVE-2015-3219 python-django-horizon: XSS in Heat stack creation
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, athomas, ayoung, chrisw, dallan, gkotton, gmollett, iovadia, lhh, lpeer, markmc, mrunge, rbryant, sclewis, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-django-horizon 2014.2.4, python-django-horizon 2015.1.1 Doc Type: Bug Fix
Doc Text:
A cross-site scripting (XSS) flaw was found in the Horizon orchestration dashboard. An attacker able to trick a Horizon user into using a malicious template during the stack creation could use this flaw to perform an XSS attack on that user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-26 02:44:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1230971, 1230972, 1230973, 1235924    
Bug Blocks: 1222872    
Attachments:
Description Flags
cve-2015-3219-master-liberty.patch
none
cve-2015-3219-stable-juno.patch
none
cve-2015-3219-stable-kilo.patch none

Description Martin Prpič 2015-06-05 06:58:08 UTC 
By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting (XSS) vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected.

Acknowledgement:

Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Nikita Konovalov from Mirantis as the original reporter.
Comment 1 Martin Prpič 2015-06-05 06:59:27 UTC 
Created attachment 1035037 [details]
cve-2015-3219-master-liberty.patch
Comment 2 Martin Prpič 2015-06-05 06:59:30 UTC 
Created attachment 1035038 [details]
cve-2015-3219-stable-juno.patch
Comment 3 Martin Prpič 2015-06-05 06:59:33 UTC 
Created attachment 1035039 [details]
cve-2015-3219-stable-kilo.patch
Comment 4 Kurt Seifried 2015-06-11 04:43:01 UTC 
This is public now:

https://security.openstack.org/ossa/OSSA-2015-010.html
Comment 5 Kurt Seifried 2015-06-11 22:31:53 UTC 
Created python-django-horizon tracking bugs for this issue:

Affects: fedora-all [bug 1230971]
Comment 7 Garth Mollett 2015-06-11 22:42:39 UTC 
Created python-django-horizon tracking bugs for this issue:

Affects: openstack-rdo [bug 1230973]
Comment 8 Ido Ovadia 2015-06-14 14:58:02 UTC 
Verified
========
python-django-horizon-2015.1.0-10.el7ost.noarch
Comment 10 errata-xmlrpc 2015-08-24 20:16:13 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:1679 https://rhn.redhat.com/errata/RHSA-2015-1679.html