An update for openstack-manila-ui is now available for Red Hat OpenStackPlatform 9.0 (Mitaka).Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
OpenStack’s File Share Service (manila) provides the means to easily provisionshared file systems that can be consumed by multiple instances. These sharedfile systems are provisioned from pre-existing, back-end volumes. The UIcomponent provides the dashboard plugin for the service.Security Fix(es):* A cross-site scripting flaw was discovered in openstack-manila-ui’s Metadatafield contained in its “Create Share” form. A user could inject maliciousHTML/JavaScript code that would then be reflected in the “Shares” overview.Remote, authenticated, but unprivileged users could exploit this vulnerabilityto steal session cookies and escalate their privileges. (CVE-2016-6519)Red Hat would like to thank SUSE for reporting this issue. SUSE acknowledgesNiklaus Schiess as the original reporter.

1375147 – CVE-2016-6519 openstack-manila-ui: persistent XSS in metadata field

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply