CVE-2017-7400
A cross-site scripting flaw was discovered in the OpenStack dashboard (horizon) which allowed remote authenticated administrators to conduct XSS attacks using a crafted federation mapping rule. For this flaw to be exploited, federation mapping must be enabled in the dashboard.
Find out more about CVE-2017-7400 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 3.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat OpenStack Platform 10 (python-django-horizon) | RHSA-2017:1598 | 2017-06-28 |
| Red Hat OpenStack Platform 9.0 (python-django-horizon) | RHSA-2017:1739 | 2017-07-12 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 8.0 (Liberty) | python-django-horizon | Not affected |
| Red Hat OpenStack Platform 11.0 (Ocata) | python-django-horizon | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | python-django-horizon | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | python-django-horizon | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | python-django-horizon | Not affected |