Skip to main content
Delphix

TB086 XSS Vulnerability with Masking Environment Overview Page

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: Critical

CVSS Score: 9.0

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

An attacker could inject active code onto the Masking Engine GUI’s Environment Overview page. When a user views these pages, the attacker’s code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, et cetera).

Contributing Factors

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.0.0, 5.2.1.0, 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.3.1, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2

 

Symptoms

This attack may be detected by viewing the connector details (schema name and database name) using Masking API endpoints: GET /database-connectors. Any names containing code (e.g., HTML <script> tags, JavaScript code, etc.) indicate an attack. 

Example: 

Suppose the API response contains a script tag such as <script>deleteUser()</script>, when accessed through the GUI, this script will execute with the permissions of the user logged in. In this example, engine users would be deleted.

Relief/Workaround

  • At the network layer, IP address allow listing may be used to limit Delphix appliance access to only approved users.  

  • It is strongly recommended that customers upgrade to 6.0.6.0 or later

Resolution

This issue is fully resolved in the 6.0.6.0 release.

Additional Information

N/A

Related Documents

N/A