TB104 Executable Javascript Can Be Entered into Self-Service Freeform Text Boxes
Alert Type
Security
Impact
Severity (NVD): High
Delphix CVSS v3.1 Score: 8.7
Delphix CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector (AV): N
Attack Complexity (AC): L
Privileges Required (PR): L
User Interaction (UI): R
Scope (S): C
Confidentiality (C): H
Integrity (I): H
Availability (A): N
Several user input fields in the Self Service feature of Continuous Data are vulnerable to cross-site scripting (XSS) in versions prior to 11.0.0.0. The issue has been addressed with the 11.0.0.0 release. This issue only applies to the Self Service feature. The vulnerability is only applicable if there are one or more Delphix users enabled for Self Service.
The Self Service feature of Continuous Compliance is designed to allow for low and scoped privilege users to execute predefined workflows without the need for intervention by a more privileged Delphix user. Use of Self Service requires both authentication and authorization privilege to be assigned by a Delphix Admin.
Affected Products and Versions
This article applies to the following products and versions, with the following clarifications:
-
“supported releases” includes releases in Extended Support.
-
releases that are out of support are not checked for vulnerability applicability.
Continuous Data (formerly Virtualization)
All versions of Continuous Data prior to 11.0.0.0 if Self Service is in use.
Continuous Data may be configured in a variety of different ways all of which are susceptible to this issue. For clarity, each is listed below.
Affected |
Configuration |
Notes |
---|---|---|
Yes |
Continuous Data |
none |
Yes |
Cloud Engine |
none |
Yes |
Continuous Vault |
none |
Select Connectors
N/A
Continuous Compliance (formerly Masking)
N/A
Containerized Masking
N/A
Hyperscale Compliance
N/A
Data Control Tower
N/A
Delphix Compliance Services
N/A
Mitigation
There are options for temporary mitigation until such time as Continuous Data is upgraded as indicated in the Resolution section.
Strong Option:
-
Temporarily disable access to Self Service by removing permissions from users that are enabled for Self Service.
Moderate Option:
-
Restrict access to Self Service to a list of trusted users.
Resolution
The issue is resolved in DevOps Data Platform 11.0.0.0 and later releases for Continuous Data Engines.
Additional Information
This issue was identified as part of our standard security testing practices.
Self Service Admin Documentation:
General information on XSS attacks and vulnerabilities:
-
OWASP on XSS Attacks: https://owasp.org/www-community/attacks/xss/
-
Portswigger on XSS: https://portswigger.net/web-security/cross-site-scripting