Bug 1781001 (CVE-2019-19336)

Summary: CVE-2019-19336 ovirt-engine: response_type parameter allows reflected XSS
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dblechte, dfediuck, eedri, lleistne, mgoldboi, michal.skrivanek, mperina, nobody, omachace, pkliczew, psampaio, Rhev-m-bugs, sbonazzo, security-response-team, sherold, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt 4.3.8 Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the user's oVirt session.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-13 20:09:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1781002, 1788050    
Bug Blocks: 1780456    

Description Doran Moppert 2019-12-09 04:39:25 UTC 
A cross-site scripting vulnerability was reported in ovirt-engine's OAuth authorization endpoint. URL parameters would be included in the HTML response without escaping, allowing an attacker to craft malicious HTML pages that could run scripts in the context of the user's ovirt session.

References:

https://lists.ovirt.org/archives/list/announce@ovirt.org/thread/RHF4BJIIRVEW3PQVDLJTDZO5AARQWO6U/
Comment 4 Doran Moppert 2020-01-10 02:58:36 UTC 
Acknowledgments:

Name: @_w4rr4nt_
Comment 5 errata-xmlrpc 2020-02-13 15:24:41 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3

Via RHSA-2020:0498 https://access.redhat.com/errata/RHSA-2020:0498
Comment 6 Product Security DevOps Team 2020-02-13 20:09:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19336
Comment 8 errata-xmlrpc 2020-08-04 13:15:44 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247