CVE-2017-2658 — Improper Input Validation in Redhat Jboss BPM Suite

CWE-20 — Improper Input Validation6 documents5 sources

Severity

6.5MEDIUMNVD

CNA2.6

EPSS

0.3%

top 46.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss BPM Suite Redhat Jboss Data Virtualization Services RED HAT Bpms +1 more

Timeline

PublishedJul 27

Latest updateMay 13

Description

It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDredhat/jboss_data_virtualization_services< 6.4.3

▶NVDredhat/jboss_bpm_suite< 6.4.2

▶CVEListV5red_hat/jdv6.4.3

▶CVEListV5red_hat/bpms6.4.2

🔴Vulnerability Details

GHSA

GHSA-8436-mv8f-g5vq: It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6↗2022-05-13

▶

CVEList

CVE-2017-2658: It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6↗2018-07-27

▶

📋Vendor Advisories

Red Hat

Dashbuilder: Lack of clickjacking protection on the login page↗2017-03-16

▶

💬Community

Bugzilla

CVE-2017-7592 libtiff: Left shift of unsigned char without a cast↗2017-04-11

▶

Bugzilla

CVE-2017-2658 Dashbuilder: Lack of clickjacking protection on the login page↗2017-03-16

▶