[
https://issues.apache.org/jira/browse/AMBARI-25283?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated AMBARI-25283:
------------------------------------
Labels: pull-request-available (was: )
> Ambari UI evaluates Javascript embedded in user input when adding hosts,
> adding remote clusters, and renaming the cluster
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-25283
> URL: https://issues.apache.org/jira/browse/AMBARI-25283
> Project: Ambari
> Issue Type: Bug
> Components: ambari-admin
> Affects Versions: 2.7.3
> Reporter: Andrii Babiichuk
> Assignee: Andrii Babiichuk
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.7.4
>
>
> Ambari's UI evaluates Javascript blocks embedded in user input when adding
> hosts, adding remote clusters, and renaming the cluster.
> The script evaluation appears to occur before the data is submitted and saved
> to the Ambari database (if save at all). Therefore, no XSS vulnerability
> needs to be reported since the scope of the threat is only to the interactive
> user at the instance the data is evaluated.
> *Add remote cluster steps to reproduce:*
> # Log into ambari and navigate to admin > Manage Ambari> Cluster Management>
> Remote Cluster > Register Remote Cluster
> # Enter malicious script in Ambari Cluster URL textbox and click on save. The
> output of XSS is reflected.
> *Add hosts steps to reproduce:*
> # Log into ambari and navigate to Hosts> Actions> Add New Hosts
> # Enter malicious script in Target Hosts textbox and click on save. The
> output of XSS is reflected
> *Edit cluster name steps to reproduce:*
> # Log into ambari and navigate to admin > Manage Ambari> Cluster Management>
> Cluster Information
> # Enter malicious script in Cluster Name textbox. The output of XSS is
> reflected
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
