CVE-2017-9394
CVSS3.5
发布时间 :2017-11-14 16:29:01
修订时间 :2017-11-30 13:07:03
NMPS    

[原文]A stored cross-site scripting vulnerability in CA Identity Governance 12.6 allows remote authenticated attackers to display HTML or execute script in the context of another user.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 3.5 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: SINGLE_INSTANCE [--]

- CWE (弱点类目)

CWE-79 [在Web页面生成时对输入的转义处理不恰当(跨站脚本)]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9394
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9394
(官方数据源) NVD

- 其它链接及资源

http://www.securityfocus.com/bid/101849
(VENDOR_ADVISORY)  BID  101849
https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20171114-01--security-notice-for-ca-identity-governance.html
(VENDOR_ADVISORY)  CONFIRM  https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20171114-01--security-notice-for-ca-identity-governance.html

- 漏洞信息 (F145002)

CA Identity Governance 12.6 Cross Site Scripting (PacketStormID:F145002)
2017-11-15 00:00:00
Kevin Kotas,Jake Miller  www3.ca.com
advisory,xss
CVE-2017-9394
[点击下载]

CA Identity Governance version 12.6 suffers from a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CA20171114-01: Security Notice for CA Identity Governance

Issued: November 14, 2017
Last Updated: November 14, 2017

CA Technologies support is alerting customers to a potential risk
with CA Identity Governance. A vulnerability exists that can
potentially allow a malicious actor to conduct cross-site scripting
attacks. CA published a solution to resolve the issue.

The vulnerability, CVE-2017-9394, occurs due to insufficient input
validation that can result in a stored cross-site scripting
vulnerability. The vulnerability can allow an authenticated remote
attacker to display HTML or execute script in the context of another
user.

Risk Rating

Medium

Platform(s)

All Server Environments where CA Identity Governance can be deployed.
Please refer to the Platform Support Matrix in the product
documentation at https//docops.ca.com

Affected Products

CA Identity Governance 12.6

Note: CA Identity Governance (formerly GovernanceMinder) releases
prior to 12.6 are no longer supported

Unaffected Products

CA Identity Governance 14.0, 14.1

How to determine if the installation is affected

Use the web interface to determine the version and check the version
against the affected products list.

Solution

CA Identity Governance 12.6.5:
Update to CA Identity Governance 12.6.5 CR1 CP3 - RS98844

CA Identity Governance releases previous to 12.6.5:
Open a support ticket to request a hotfix

References

CVE-2017-9394 - CA Identity Governance stored XSS

Acknowledgement

CVE-2017-9394 - Jake Miller of Blue Canopy - A Jacobs company

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please
report your findings to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Regards,

Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response

Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022.  All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop
Charset: utf-8

wsFVAwUBWgse1MMr2sgsME5lAQq+dQ/9FKU/gOIc5DNXauei+NfHuwA+BoiIA0yc
PMWr2WIPT7skEFy/T46sKHN1TMVGCG/rUPlPL+BA46oicb9Wvk+0J4VvTheT3E1m
fracPD4As/sNQiMmDYYGjC38Acf0/zqEtBBD5KAcbvV+RvRWn+mOaKjhxBbKOJ5O
Xr1bDCEkRRhtVIqZEXVzexX/14OEWX3E5elDXQ6tVHhwtE33sNzoIk+Z+oblXIO7
CwwAHtgGqCJ8q0biA8z6eXQ7rKQsxaZjAkZq3BCNG5QbFzo4jeO+VAKR+usnIbhW
qiFrfqromX07E8nEt60SJebYIx4VSpdkEHhCMmNSKMEwKzA1Ux0SXaXreG5qt3xt
da81cAJPgxZ+1TupiIUH2yO8dnYtdpWqoPFD4Iiv7Z7hhoP2BkCt0GPyH6l14IiM
nne+WYhyhGRz1ksS5Z2hxzXLH1XBX8pFOGnLQji/5z9V09gacB93kgDw5ye7+wxc
+gxiggyDdtCRRGQ+PSAvGz39GGcDNhu6tBzrOXoYUufuSSX2WjWIv0ZzXL9xKUxP
Ax3AVot/wNr9gRBYZOh0Xb+/7KW82Va1jl9UMwlkxKjoEsjrhZWIzEgYLdEtR0Xr
wcHORXxEzre1/5xQ1WyMidmFDw3gSyY5B1v0XEnW75KSmzvdSv/NDYEWTOgCfN0l
wOjhbaCuKsc=
=DQbf
-----END PGP SIGNATURE-----


    

- 漏洞信息

CA Identity Governance CVE-2017-9394 HTML Injection Vulnerability
Input Validation Error 101849
Yes No
2017-11-15 12:00:00 2017-11-15 03:07:00
Jake Miller of Blue Canopy.

- 受影响的程序版本

Ca Identity Governance 12.6
,Ca Identity Governance 12.6.5

- 不受影响的程序版本

Ca Identity Governance 12.6.5

- 漏洞讨论

CA Identity Governance is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

CA Identity Governance 12.6 is vulnerable; other versions may also be affected.

- 漏洞利用

An attacker can exploit this issue using a web browser.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站