Syndesis, the underlying code to Fuse Online, contains a dangerous default for the CORS "setAllowedOrigins" value, as seen here: - https://github.com/syndesisio/syndesis/blob/master/app/server/runtime/src/main/java/io/syndesis/server/runtime/SecurityConfiguration.java#L95 -- configuration.setAllowedOrigins(Arrays.asList(CorsConfiguration.ALL)); With this default in place, any services built on the platform will be open to phishing style attacks by leveraging the lack of cross origin protection.
Acknowledgments: Name: Jeremy Choi (Red Hat)
This issue has been addressed in the following products: Red Hat Fuse 7.4.1 Via RHSA-2019:3244 https://access.redhat.com/errata/RHSA-2019:3244
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14860
This issue has been addressed in the following products: Red Hat Fuse 7.5.0 Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892