Bug 1433087 (CVE-2017-2658) - CVE-2017-2658 Dashbuilder: Lack of clickjacking protection on the login page
Summary: CVE-2017-2658 Dashbuilder: Lack of clickjacking protection on the login page
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-2658
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1469740 1469741
Blocks: 1429673 1433086
TreeView+ depends on / blocked
 
Reported: 2017-03-16 18:33 UTC by Pavel Polischouk
Modified: 2021-02-17 02:27 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the Dashbuilder login page could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).
Clone Of:
Environment:
Last Closed: 2019-06-08 03:09:03 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0557 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite security update 2017-03-17 01:09:43 UTC
Red Hat Product Errata RHSA-2018:2243 0 None None None 2018-07-23 19:35:28 UTC

Description Pavel Polischouk 2017-03-16 18:33:09 UTC
It was discovered that the Dashbuilder login page could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).

Comment 1 Pavel Polischouk 2017-03-16 18:35:09 UTC
Acknowledgments:

Name: Martin Weiler (Red Hat)

Comment 3 errata-xmlrpc 2017-03-16 21:10:18 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.4.2

Via RHSA-2017:0557 https://rhn.redhat.com/errata/RHSA-2017-0557.html

Comment 7 errata-xmlrpc 2018-07-23 19:35:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization

Via RHSA-2018:2243 https://access.redhat.com/errata/RHSA-2018:2243


Note You need to log in before you can comment on or make changes to this bug.