TB110 Cross-Site Scripting (XSS) Vulnerability Provides Access to the Masking Engine API
Alert Type
Security
Impact
Severity (NVD): High
Delphix CVSS v3.1 Score: 8.2
Delphix CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector (AV): N
Attack Complexity (AC): L
Privileges Required (PR): N
User Interaction (UI): R
Scope (S): C
Confidentiality (C): H
Integrity (I): L
Availability (A): N
Under certain conditions, Continuous Compliance may be susceptible to a cross-site scripting attack. Exploitation requires the victim Delphix user to have specific privileges to the targeted API action. This security bug was discovered internally by Delphix's security testing processes.
The masking engine’s APIs can be exploited by an attacker by executing a malicious script in the user’s browser that can make an API call to the Continuous Compliance Engine and perform a malicious action. The severity depends on the privileges granted to the user being exploited. If the user under attack has administrative privileges, the attacker could perform administrative actions via APIs.
Affected Products and Versions
This article applies to the following products and versions, with the following clarifications:
- “supported releases” includes releases in Extended Support.
- releases that are out of support are not checked for vulnerability applicability.
Continuous Compliance (formerly Masking)
All releases from 8.0.0.0 to 12.0.0.0 (inclusive).
Containerized Masking
All releases from 8.0.0.0 to 12.0.0.0 (inclusive).
Continuous Data (formerly Virtualization)
Continuous Data has a variety of functional deployments. Depending on the deployment you are using, the impact may differ.
Configuration |
Affected |
---|---|
Continuous Data |
No |
Cloud Engine |
No |
Continuous Vault |
No |
Self-Service (Jet Stream) | No |
Hyperscale Compliance
N/A
Data Control Tower
N/A
Delphix Compliance Services
N/A
Mitigation
None.
Resolution
This issue is resolved in DevOps Data Platform 13.0.0.0 and later releases for Continuous Compliance Engines.
Additional Information
None