InfluxDB 0.9.5 has Reflected XSS in the Write Data module. References: https://github.com/influxdata/influxdb/releases/tag/v0.9.6 https://gist.github.com/Raghavrao29/1cb84f1f2d8ce993fd7b2d1366d35f48
This cross-site-scripting (XSS) vulnerability affects the admin GUI of InfluxDB. Furthermore, in InfluxDB v1.2 the admin GUI was deprecated and disabled by default (thanks for the find jpadman). Ref: https://docs.influxdata.com/influxdb/v1.2/tools/web_admin/ OpenShift ServiceMesh vendors InfluxDB v1.2.3+ in servicesh-prometheus and is not vulnerable. Plus the vendored code, is just the client libraries for InfluxDB.
The following OpenShift containers only vendor in the InfluxDB client version, not vulnerable to the admin GUI vulnerability: - openshift/ose-ovn-kubernetes - openshift/ose-prometheus
Created golang-github-influxdb-influxdb tracking bugs for this issue: Affects: epel-6 [bug 1812330] Affects: fedora-30 [bug 1812329]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-17572