CVE-2017-2658

Description

It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).

CVSS breakdown

CVSS 3.0

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected products

Red Hat / BPMS6.4.2 – 6.4.2
Red Hat / JDV6.4.3 – 6.4.3

References

MISChttp://rhn.redhat.com/errata/RHSA-2017-0557.html
VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2018:2243
MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658
MISChttp://www.securityfocus.com/bid/97025