All the vulnerabilites related to redhat - jboss_data_virtualization_\&_services
cve-2017-2658
Vulnerability from cvelistv5
Published
2018-07-27 18:00
Modified
2024-08-05 14:02
Severity ?
EPSS score ?
Summary
It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2017-0557.html | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:2243 | vendor-advisory, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/97025 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:02:07.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:0557",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0557.html"
},
{
"name": "RHSA-2018:2243",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2243"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658"
},
{
"name": "97025",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BPMS",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "6.4.2"
}
]
},
{
"product": "JDV",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "6.4.3"
}
]
}
],
"datePublic": "2018-07-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization \u0026 Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-28T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2017:0557",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0557.html"
},
{
"name": "RHSA-2018:2243",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2243"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658"
},
{
"name": "97025",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-2658",
"datePublished": "2018-07-27T18:00:00",
"dateReserved": "2016-12-01T00:00:00",
"dateUpdated": "2024-08-05T14:02:07.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2018-07-27 18:29
Modified
2024-11-21 03:23
Severity ?
2.6 (Low) - CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2017-0557.html | Broken Link, Vendor Advisory | |
| secalert@redhat.com | http://www.securityfocus.com/bid/97025 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:2243 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2017-0557.html | Broken Link, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97025 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2018:2243 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_bpm_suite | * | |
| redhat | jboss_data_virtualization_\&_services | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_bpm_suite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8A87B62D-04DC-441E-84DB-1599F9D2FF24",
"versionEndExcluding": "6.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_data_virtualization_\\\u0026_services:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0989836C-2239-4CF7-8E58-2B041BE93AA9",
"versionEndExcluding": "6.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization \u0026 Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking)."
},
{
"lang": "es",
"value": "Se ha descubierto que la p\u00e1gina de inicio de sesi\u00f3n de Dashbuilder tal y como se utilizaba en Red Hat JBoss BPM Suite en versiones anteriores a la 6.4.2 y en Red Hat JBoss Data Virtualization Services en versiones anteriores a la 6.4.3 pod\u00eda abrirse en un IFRAME, lo que permit\u00eda interceptar y manipular las solicitudes. Un atacante podr\u00eda usar este defecto para enga\u00f1ar a un usuario para que realice acciones arbitrarias en la consola (clickjacking)."
}
],
"id": "CVE-2017-2658",
"lastModified": "2024-11-21T03:23:55.287",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-27T18:29:01.187",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0557.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97025"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2243"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0557.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2243"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}