Bug 1811836 (CVE-2018-17572)
Summary: | CVE-2018-17572 influxdb: Reflected cross-site-scripting in the Write Data module | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alegrand, anpicker, bmontgom, eparis, erooth, fpokorny, go-sig, jburrell, jchaloup, jokerman, kakkoyun, kconner, lcosic, mcooper, mloibl, nstielau, pkrupa, rcernich, sponnaga, surbania, vbatts |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-11 04:31:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1812329, 1812330 | ||
Bug Blocks: | 1811837 |
Description
Pedro Sampaio
2020-03-09 21:42:54 UTC
This cross-site-scripting (XSS) vulnerability affects the admin GUI of InfluxDB. Furthermore, in InfluxDB v1.2 the admin GUI was deprecated and disabled by default (thanks for the find jpadman). Ref: https://docs.influxdata.com/influxdb/v1.2/tools/web_admin/ OpenShift ServiceMesh vendors InfluxDB v1.2.3+ in servicesh-prometheus and is not vulnerable. Plus the vendored code, is just the client libraries for InfluxDB. The following OpenShift containers only vendor in the InfluxDB client version, not vulnerable to the admin GUI vulnerability: - openshift/ose-ovn-kubernetes - openshift/ose-prometheus Created golang-github-influxdb-influxdb tracking bugs for this issue: Affects: epel-6 [bug 1812330] Affects: fedora-30 [bug 1812329] This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-17572 |