TB069 XSS Vulnerability on the Masking Rule Set and Inventory Pages

Impact

FIPS 199 Severity Level: Critical

CVSS Score: 9.0 based on:

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

An attacker could inject active code onto the Masking Engine GUI’s Rule Set and Inventory pages. When a user views these pages, the attacker’s code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, et cetera).

Contributing Factors

The issue may occur when using any version of the Delphix Masking Engine, including:

Major Release	All Sub Releases
5.3	5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1
5.2	5.2.0.0, 5.2.1.0, 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.3.1, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2

Symptoms

This attack may be detected by viewing the table/file/data set name and column/field names using Masking API endpoints: GET /table-metadata, GET /column-metadata, GET /file-metadata, GET /file-field-metadata, GET /mainframe-dataset-metadata, and GET /mainframe-dataset-field-metadata. Any names containing code (e.g., HTML <script> tags, JavaScript code, etc.) indicate an attack. 

Example: 

Suppose API response contains a script tag such as, '<script>deleteUser()</script>' then, when accessed through the GUI, this script will execute with the permissions of the user logged in. In this example, engine users would be deleted.

Relief/Workaround

• At the network layer, IP address allowlisting may be used to limit Delphix appliance access to only approved users.  

• Customers should upgrade to 5.3.8.0 or later

Related Documents

See related XSS vulnerability in TB068 XSS Vulnerability on the Masking Audit Page.