[jira] [Updated] (AMBARI-25283) Ambari UI evaluates Javascript embedded in user input when adding hosts, adding remote clusters, and renaming the cluster

Wed, 09 Nov 2022 00:46:04 -0800 


     [ 
https://issues.apache.org/jira/browse/AMBARI-25283?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Zhiguo Wu updated AMBARI-25283:
-------------------------------
    Fix Version/s: 2.8.0

> Ambari UI evaluates Javascript embedded in user input when adding hosts, 
> adding remote clusters, and renaming the cluster
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-25283
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25283
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-admin
>    Affects Versions: 2.7.3
>            Reporter: Andriy Babiichuk
>            Assignee: Andriy Babiichuk
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.8.0, 2.7.4
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> Ambari's UI evaluates Javascript blocks embedded in user input when adding 
> hosts, adding remote clusters, and renaming the cluster.
> The script evaluation appears to occur before the data is submitted and saved 
> to the Ambari database (if save at all).  Therefore, no XSS vulnerability 
> needs to be reported since the scope of the threat is only to the interactive 
> user at the instance the data is evaluated.
> *Add remote cluster steps to reproduce:*
> # Log into ambari and navigate to admin > Manage Ambari> Cluster Management>  
> Remote Cluster > Register Remote Cluster
> # Enter malicious script in Ambari Cluster URL textbox and click on save. The 
> output of XSS is reflected. 
> *Add hosts steps to reproduce:*
> # Log into ambari and navigate to Hosts> Actions>  Add New Hosts
> # Enter malicious script in Target Hosts textbox and click on save. The 
> output of XSS is reflected
> *Edit cluster name steps to reproduce:*
> # Log into ambari and navigate to admin > Manage Ambari> Cluster Management>  
> Cluster Information
> # Enter malicious script in Cluster Name textbox. The output of XSS is 
> reflected



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ambari.apache.org
For additional commands, e-mail: issues-h...@ambari.apache.org

Reply via email to