[OSSA 2015-009] Sanitation of metadata label (CVE-2015-3988)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Critical
|
Szymon Wróblewski | ||
Juno |
Fix Released
|
Critical
|
Brant Knudson | ||
Kilo |
Fix Released
|
Critical
|
Brant Knudson | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
1) Start up Horizon
2) Go to Images
3) Next to an image, pick "Update Metadata"
4) From the dropdown button, select "Update Metadata"
5) In the Custom box, enter a value with some HTML like '</script>
6) On the right-hand side, give it a value, like "ee"
7) Click "Save"
8) Pick "Update Metadata" for the image again, the page will fail to load, and the JavaScript console says:
SyntaxError: invalid property id
var existing_metadata = {"
An alternative is if you change the URL to update_metadata for the image (for example, http://
I'm not sure if update_metadata is actually a page, though... can't figure out how to get to it other than typing it in.
Changed in horizon: | |
assignee: | nobody → Doug Fish (drfish) |
Changed in horizon: | |
assignee: | nobody → Thai Tran (tqtran) |
Changed in ossa: | |
importance: | Critical → High |
status: | Confirmed → Triaged |
Changed in horizon: | |
assignee: | Thai Tran (tqtran) → Szymon Wróblewski (bluex) |
status: | Confirmed → In Progress |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
status: | Fix Released → Fix Committed |
tags: | added: icehouse-backport-potential juno-backport-potential kilo-backport-potential |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- Sanitation of metadata label + Sanitation of metadata label (CVE-2015-3988) |
summary: |
- Sanitation of metadata label (CVE-2015-3988) + [OSSA 2015-009] Sanitation of metadata label (CVE-2015-3988) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | liberty-1 → 8.0.0 |
tags: | removed: icehouse-backport-potential in-stable-juno in-stable-kilo juno-backport-potential kilo-backport-potential |
Looks like this same thing is possible for flavors metadata, too.