SB2019020412 - Red Hat update for Red Hat Gluster Storage Web Administration
Published: February 4, 2019
Security Bulletin ID
SB2019020412
Severity
Low
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2018-7536)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the django.utils.html.urlize() function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted input and cause the service to crash.
2) Resource exhaustion (CVE-ID: CVE-2018-7537)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in the django.utils.html.urlize() function due to it was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions. The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. A remote attacker can cause the service to crash.
3) Open redirect (CVE-ID: CVE-2018-14574)
The vulnerability allows a remote unauthenticated attacker to redirect the target user to external websites.The weakness exists on systems with django.middleware.common.CommonMiddleware and the APPEND_SLASH setting enabled and with a project that has a URL pattern that accepts any path ending in a slash due to open redirect. A remote attacker can use a specially crafted image link, trick the victim into opening it and redirect users to malicious website
Remediation
Install update from vendor's website.