[AMBARI-25283] Ambari UI evaluates Javascript embedded in user input when adding hosts, adding remote clusters, and renaming the cluster - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.7.3
Fix Version/s: 2.8.0, 2.7.4
Component/s: ambari-admin
Labels:
- pull-request-available

Description

Ambari's UI evaluates Javascript blocks embedded in user input when adding hosts, adding remote clusters, and renaming the cluster.

The script evaluation appears to occur before the data is submitted and saved to the Ambari database (if save at all). Therefore, no XSS vulnerability needs to be reported since the scope of the threat is only to the interactive user at the instance the data is evaluated.

Add remote cluster steps to reproduce:

Log into ambari and navigate to admin > Manage Ambari> Cluster Management> Remote Cluster > Register Remote Cluster
Enter malicious script in Ambari Cluster URL textbox and click on save. The output of XSS is reflected.

Add hosts steps to reproduce:

Log into ambari and navigate to Hosts> Actions> Add New Hosts
Enter malicious script in Target Hosts textbox and click on save. The output of XSS is reflected

Edit cluster name steps to reproduce:

Log into ambari and navigate to admin > Manage Ambari> Cluster Management> Cluster Information
Enter malicious script in Cluster Name textbox. The output of XSS is reflected

Attachments

Issue Links

links to

GitHub PR#3466

GitHub Pull Request #2980

Activity

People

Assignee:: Andriy Babiichuk

Reporter:: Andriy Babiichuk

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 21/May/19 10:36

Updated:: 09/Nov/22 08:45

Resolved:: 21/May/19 12:59

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 10m