Description
A flaw was found in ManageIQ which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth.
Acknowledgements
Red Hat would like to thank Sruthi M (IBM) and Purnachand Pulahari (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-14369
Details
The ManageIQ API supports basic auth for development purposes, and when executed through a web browser, the WWW-Authenticate Basic Auth challenge is presented by the browser. The browser, in turn, will store the credentials for the site for future calls. As such, a crafted file can access anything in the ManageIQ API via the browser using the stored credentials. To remediate this, we've removed the Basic Auth challenge, eliminating the storage of the credentials, and this avenue of attack.
Fixed in ivanchuk, jansa-1, master
Description
A flaw was found in ManageIQ which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth.
Acknowledgements
Red Hat would like to thank Sruthi M (IBM) and Purnachand Pulahari (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-14369
Details
The ManageIQ API supports basic auth for development purposes, and when executed through a web browser, the WWW-Authenticate Basic Auth challenge is presented by the browser. The browser, in turn, will store the credentials for the site for future calls. As such, a crafted file can access anything in the ManageIQ API via the browser using the stored credentials. To remediate this, we've removed the Basic Auth challenge, eliminating the storage of the credentials, and this avenue of attack.
Fixed in ivanchuk, jansa-1, master