TB110 Cross-Site Scripting (XSS) Vulnerability Provides Access to the Masking Engine API

Impact

Severity (NVD): High

Delphix CVSS v3.1 Score:  8.2

Delphix CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): N

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): L

Availability (A): N

Under certain conditions, Continuous Compliance may be susceptible to a cross-site scripting attack. Exploitation requires the victim Delphix user to have specific privileges to the targeted API action. This security bug was discovered internally by Delphix's security testing processes.

The masking engine’s APIs can be exploited by an attacker by executing a malicious script in the user’s browser that can make an API call to the Continuous Compliance Engine and perform a malicious action. The severity depends on the privileges granted to the user being exploited. If the user under attack has administrative privileges, the attacker could perform administrative actions via APIs.

Affected Products and Versions 

This article applies to the following products and versions, with the following clarifications:

• “supported releases” includes releases in Extended Support. 
• releases that are out of support are not checked for vulnerability applicability.

Mitigation 

None.

Resolution 

This issue is resolved in DevOps Data Platform 13.0.0.0 and later releases for Continuous Compliance Engines.

Additional Information 

None