Bug 2127870
| Summary: | redis: lack of sanitization of user-supplied inputs when constructing cypher queries in acm | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | crizzo, gparvin, jpadilla, jramanat, njean, owatkins, pahickey, security-response-team, shvarugh, stcannon, teagle |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found on the search API components for Red Hat Advanced Cluster Management for Kubernetes (RHACM) using specially crafted inputs. A cypher query can be made to return or modify arbitrary records in the database, resulting in data leaks and incoherence. Depending on the configuration and database, an attacker could try to elevate his privileges on the database and interact with the underlying operating system. An attacker could also leverage this vulnerability to attack the applications' logic relying on the affected database and the trustworthiness of data stored.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-10-31 13:51:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2127433 | ||
|
Description
Borja Tarraso
2022-09-19 09:45:20 UTC
*** This bug has been marked as a duplicate of bug 2101669 *** |