FIPS 199 Severity Level: Critical
CVSS Score: 9.0 based on
Attack Vector (AV): N
Attack Complexity (AC): L
Privileges Required (PR): L
User Interaction (UI): R
Scope (S): C
Confidentiality (C): H
Integrity (I): H
Availability (A): H
An attacker could inject active code onto the Masking Engine GUI’s Create Rule Set page, into the “Pattern Field”. This vulnerability exists for all File Type Rule Sets (mainframe and delimited), but not for Database Rule Sets. When a user selects the infected rule set on the inventory page, the attacker’s code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, et cetera).
The issue may occur when using any of the below versions of the Delphix Masking Engine:
|Major Release||All Sub Releases|
|5.3||188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124|
If the API response contains a script tag such as,
<script>deleteUser()</script> , then, when accessed through the GUI, this script will execute with the permissions of the logged in user. In this example, engine users would be deleted.
At the network layer, IP address allowlisting may be used to limit Delphix appliance access to only approved users.
Customers are strongly recommended to upgrade to 126.96.36.199 or 188.8.131.52 or later.
This issue is resolved in the 184.108.40.206 release. It is also resolved in the 220.127.116.11 or later releases.