Bug #2979
csrf vulnerability in sunstone
| Status: | Closed | Start date: | 06/12/2014 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | Sunstone | |||
| Target version: | Release 4.6.2 | |||
| Resolution: | invalid | Pull request: | ||
| Affected Versions: | OpenNebula 4.6 |
Description
Dennis Felsch and Mario Heiderich from the Ruhr-Universität Bochumhave reported a series of vulnerabilites that consist on Sunstone being vulnerable to malicious CSRF exploits and vulnerabilities in the core XML sanitization leading to malformed XML exploits, which allowed for DoS attacks.
This issues have been addressed in the "csrf-fix" branch and have been included in the OpenNebula 4.6.2 maintenance release