Skip to main content
Delphix

TB068 XSS Vulnerability on the Masking Audit Page

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: Critical

CVSS Score: 9.6 based on

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): N

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

An attacker could inject active code onto the Masking Engine GUI’s Audit page. When a user views the page, the attacker’s code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, et cetera).

Contributing Factors

Major Release All Sub Releases
5.3

5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1

Symptoms

This attack can be detected by viewing the audit logs using the GET /audit-logs Masking API endpoint. Any audit record with a userName field containing code (e.g., HTML <script> tags, JavaScript code, et cetera) instead of an alphanumeric username indicates an attack. 

An attack may also be detected if the Audit GUI is malformatted or contains executable code in the user column. The absence of these anomalies in the GUI is not a guarantee.

Relief/Workaround

  • At the network layer, IP address whitelisting may be used to limit Delphix appliance access to only approved users.  

  • Customers should upgrade to 5.3.8.0 or later

Resolution

This issue is resolved in the 5.3.8.0 and 6.0.0.0 releases.

Additional Information

See related XSS vulnerability in TB069 XSS Vulnerability on the Masking Rule Set and Inventory Pages.