Bug 1439626 (CVE-2017-7400) - CVE-2017-7400 python-django-horizon: XSS in federation mappings UI
Summary: CVE-2017-7400 python-django-horizon: XSS in federation mappings UI
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7400
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1444274 1444275 1444276
Blocks: 1439627
TreeView+ depends on / blocked
 
Reported: 2017-04-06 10:40 UTC by Andrej Nemec
Modified: 2019-09-29 14:09 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting flaw was discovered in the OpenStack dashboard (horizon) which allowed remote authenticated administrators to conduct XSS attacks using a crafted federation mapping rule. For this flaw to be exploited, federation mapping must be enabled in the dashboard.
Clone Of:
Environment:
Last Closed: 2017-07-12 21:32:13 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1598 0 normal SHIPPED_LIVE Low: python-django-horizon security, bug fix, and enhancement update 2017-06-28 18:52:32 UTC
Red Hat Product Errata RHSA-2017:1739 0 normal SHIPPED_LIVE Low: python-django-horizon security and bug fix update 2017-07-12 17:12:51 UTC

Description Andrej Nemec 2017-04-06 10:40:23 UTC 
OpenStack Horizon allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.

Upstream bug:

https://bugs.launchpad.net/horizon/+bug/1667086
Comment 1 Andrej Nemec 2017-04-06 10:51:37 UTC 
Upstream patches:

https://review.openstack.org/442455 (Mitaka)
https://review.openstack.org/442454 (Newton)
https://review.openstack.org/442453 (Ocata)
https://review.openstack.org/442277 (Pike)
Comment 3 Summer Long 2017-04-21 03:26:42 UTC 
Created python-django-horizon tracking bugs for this issue:

Affects: openstack-rdo [bug 1444276]
Comment 4 errata-xmlrpc 2017-06-28 15:18:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:1598 https://access.redhat.com/errata/RHSA-2017:1598
Comment 5 errata-xmlrpc 2017-07-12 13:17:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:1739 https://access.redhat.com/errata/RHSA-2017:1739
Note You need to log in before you can comment on or make changes to this bug.