Uploaded image for project: 'Ambari (Retired)'
  1. Ambari (Retired)
  2. AMBARI-25283

Ambari UI evaluates Javascript embedded in user input when adding hosts, adding remote clusters, and renaming the cluster

Details

    Description

      Ambari's UI evaluates Javascript blocks embedded in user input when adding hosts, adding remote clusters, and renaming the cluster.

      The script evaluation appears to occur before the data is submitted and saved to the Ambari database (if save at all). Therefore, no XSS vulnerability needs to be reported since the scope of the threat is only to the interactive user at the instance the data is evaluated.

      Add remote cluster steps to reproduce:

      1. Log into ambari and navigate to admin > Manage Ambari> Cluster Management> Remote Cluster > Register Remote Cluster
      2. Enter malicious script in Ambari Cluster URL textbox and click on save. The output of XSS is reflected.

      Add hosts steps to reproduce:

      1. Log into ambari and navigate to Hosts> Actions> Add New Hosts
      2. Enter malicious script in Target Hosts textbox and click on save. The output of XSS is reflected

      Edit cluster name steps to reproduce:

      1. Log into ambari and navigate to admin > Manage Ambari> Cluster Management> Cluster Information
      2. Enter malicious script in Cluster Name textbox. The output of XSS is reflected

      Attachments

        Issue Links

          Activity

            People

              ababiichuk Andriy Babiichuk
              ababiichuk Andriy Babiichuk
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m

                  Slack

                    Issue deployment