Dear TSC, This is a notification email to ensure a full transparency of ONAP vulnerability management subcommittee.
On 28th of November 2019 we ([email protected]) received a report from user identifying himself as "p0desta" on Server Side Request Forgery in ONAP jira instance (jira.onap.org). The vulnerability was previously known and identified as CVE-2019-8451. Official Atlassian ticket related to this vulnerability is: https://jira.atlassian.com/browse/JRASERVER-69793 As the vulnerability is not related to the ONAP itself, but only to the supporting infrastructure we decided to not create a new OJSI ticket nor issue ONAP Security Advisory (OSA) but rather report it directly to the Linux Foundation using a limited visibility service desk ticket: https://jira.linuxfoundation.org/servicedesk/customer/portal/2/IT-18372 The vulnerability has been fixed today by the Linux Foundation IT support team by performing an upgrade of ONAP jira instance to the version that includes a fix for this security vulnerability. Best regards, -- Krzysztof Opasiak on behalf of the ONAP vulnerability sub-committee Samsung R&D Institute Poland Samsung Electronics -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5728): https://lists.onap.org/g/onap-tsc/message/5728 Mute This Topic: https://lists.onap.org/mt/65207300/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
