SB2017082915 - Multiple vulnerabilities in alibaba atlas

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017082915

SB2017082915 - Multiple vulnerabilities in alibaba atlas

Published: August 29, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017082915
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 17% Low 83%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2017-3150)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookies that could be accessible to client-side script.


2) Cross-site scripting (CVE-ID: CVE-2017-3151)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality.


3) Cross-site scripting (CVE-ID: CVE-2017-3152)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to DOM XSS in the edit-tag functionality.


4) Cross-site scripting (CVE-ID: CVE-2017-3153)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Reflected XSS in the search functionality.


5) Information disclosure (CVE-ID: CVE-2017-3154)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information.


6) Cross-site scripting (CVE-ID: CVE-2017-3155)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting.


Remediation

Install update from vendor's website.

References