1524949 – (CVE-2017-11507) CVE-2017-11507 check-mk: Stored XSS vulnerability using the internal server error handler

Bug 1524949 (CVE-2017-11507) - CVE-2017-11507 check-mk: Stored XSS vulnerability using the internal server error handler

Summary: CVE-2017-11507 check-mk: Stored XSS vulnerability using the internal server e...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-11507
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1524950
TreeView+	depends on / blocked

Reported:	2017-12-12 10:51 UTC by Adam Mariš
Modified:	2021-02-17 01:06 UTC (History)
CC List:	5 users (show)
Fixed In Version:	check-mk 1.2.8p25, check-mk 1.4.0p9, check-mk 1.5.0i1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-14 04:47:17 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2017-12-12 10:51:42 UTC

A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.2.8x prior to 1.2.8p25 and 1.4.0x prior to 1.4.0p9, allowing an unauthenticated attacker to inject arbitrary HTML or JavaScript via the output_format parameter, and the username parameter of failed HTTP basic authentication attempts, which is returned unencoded in an internal server error page.

References:

https://www.tenable.com/security/research/tra-2017-20

Comment 1 Andrea Veri 2017-12-13 14:41:53 UTC

We're shipping 1.2.8p26 already on all the supported channels. Is this report still relevant?

Comment 2 Siddharth Sharma 2017-12-14 04:44:43 UTC

Analysis:

As per report attack vector is http://[target]/[sitename]/check_mk/login.py?output_format=<script>alert(%27XSS%27)</script>.
check_mk/login.py is part of check-mk-multisite rpm, this rpm is not shipped with Red Hat Gluster Storage 3.

Comment 3 Siddharth Sharma 2017-12-14 04:46:25 UTC

Statement:

Red Hat Gluster Storage 3 does not ship check-mk-multisite rpm, and is therefore not affected by this flaw.

Comment 4 Adam Mariš 2017-12-14 10:17:57 UTC

(In reply to Andrea Veri from comment #1)
> We're shipping 1.2.8p26 already on all the supported channels. Is this
> report still relevant?

I know, therefore Fedora is marked as not affected. No action is needed, thanks for checking though!

Note You need to log in before you can comment on or make changes to this bug.