{"containers": {"cna": {"affected": [{"product": "BPMS", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "6.4.2"}]}, {"product": "JDV", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "6.4.3"}]}], "datePublic": "2018-07-27T00:00:00", "descriptions": [{"lang": "en", "value": "It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking)."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-07-28T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2017:0557", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0557.html"}, {"name": "RHSA-2018:2243", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2243"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658"}, {"name": "97025", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97025"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:02:07.203Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:0557", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0557.html"}, {"name": "RHSA-2018:2243", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2243"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658"}, {"name": "97025", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/97025"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-2658", "datePublished": "2018-07-27T18:00:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2024-08-05T14:02:07.203Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_bpm_suite:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A87B62D-04DC-441E-84DB-1599F9D2FF24", "versionEndExcluding": "6.4.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_data_virtualization_\\&_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "0989836C-2239-4CF7-8E58-2B041BE93AA9", "versionEndExcluding": "6.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking)."}, {"lang": "es", "value": "Se ha descubierto que la p\u00e1gina de inicio de sesi\u00f3n de Dashbuilder tal y como se utilizaba en Red Hat JBoss BPM Suite en versiones anteriores a la 6.4.2 y en Red Hat JBoss Data Virtualization Services en versiones anteriores a la 6.4.3 pod\u00eda abrirse en un IFRAME, lo que permit\u00eda interceptar y manipular las solicitudes. Un atacante podr\u00eda usar este defecto para enga\u00f1ar a un usuario para que realice acciones arbitrarias en la consola (clickjacking)."}], "id": "CVE-2017-2658", "lastModified": "2023-02-12T23:29:39.463", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2018-07-27T18:29:01.187", "references": [{"source": "secalert@redhat.com", "tags": ["Broken Link", "Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0557.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97025"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2243"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2658"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Martin Weiler (Red Hat).", "affected_release": [{"advisory": "RHSA-2017:0557", "cpe": "cpe:/a:redhat:jboss_bpms:6.4", "product_name": "Red Hat JBoss BPMS 6.4", "release_date": "2017-03-16T00:00:00Z"}, {"advisory": "RHSA-2018:2243", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4", "package": "dashbuilder", "product_name": "Red Hat JBoss Data Virtualization 6.4", "release_date": "2018-07-23T00:00:00Z"}], "bugzilla": {"description": "Dashbuilder: Lack of clickjacking protection on the login page", "id": "1433087", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433087"}, "csaw": false, "cvss": {"cvss_base_score": "2.9", "cvss_scoring_vector": "AV:A/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "cvss3": {"cvss3_base_score": "2.6", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).", "It was discovered that the Dashbuilder login page could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking)."], "name": "CVE-2017-2658", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Affected", "package_name": "dashbuilder", "product_name": "Red Hat BPM Suite 6"}], "public_date": "2017-03-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-2658\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-2658"], "threat_severity": "Low"}