Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1524949 - (CVE-2017-11507) CVE-2017-11507 check-mk: Stored XSS vulnerability using the internal server error handler
CVE-2017-11507 check-mk: Stored XSS vulnerability using the internal server e...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170706,repor...
: Security
Depends On:
Blocks: 1524950
  Show dependency treegraph
 
Reported: 2017-12-12 05:51 EST by Adam Mariš
Modified: 2017-12-14 05:17 EST (History)
5 users (show)

See Also:
Fixed In Version: check-mk 1.2.8p25, check-mk 1.4.0p9, check-mk 1.5.0i1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-13 23:47:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2017-12-12 05:51:42 EST 
A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.2.8x prior to 1.2.8p25 and 1.4.0x prior to 1.4.0p9, allowing an unauthenticated attacker to inject arbitrary HTML or JavaScript via the output_format parameter, and the username parameter of failed HTTP basic authentication attempts, which is returned unencoded in an internal server error page.

References:

https://www.tenable.com/security/research/tra-2017-20
Comment 1 Andrea Veri 2017-12-13 09:41:53 EST 
We're shipping 1.2.8p26 already on all the supported channels. Is this report still relevant?
Comment 2 Siddharth Sharma 2017-12-13 23:44:43 EST 
Analysis:

As per report attack vector is http://[target]/[sitename]/check_mk/login.py?output_format=<script>alert(%27XSS%27)</script>.
check_mk/login.py is part of check-mk-multisite rpm, this rpm is not shipped with Red Hat Gluster Storage 3.
Comment 3 Siddharth Sharma 2017-12-13 23:46:25 EST 
Statement:

Red Hat Gluster Storage 3 does not ship check-mk-multisite rpm, and is therefore not affected by this flaw.
Comment 4 Adam Mariš 2017-12-14 05:17:57 EST 
(In reply to Andrea Veri from comment #1)
> We're shipping 1.2.8p26 already on all the supported channels. Is this
> report still relevant?

I know, therefore Fedora is marked as not affected. No action is needed, thanks for checking though!
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.