Cross-Site Scripting (XSS) Vulnerability for Hue

This section describes a XSS security issue with Hue.

Vulnerability HUE’s home page and its beeswax application are vulnerable to XSS attacks. These pages are susceptible to malicious user input, as the input on these pages is not html encoded.
Details For Hue 3.6, beeswax query submission and the creation of projects are susceptible to malicious scripts.

For Hue 3.7, the beeswax query submission issue was resolved by HUE-2345 but project creation is still susceptible to malicious scripts.

Products Affected Hue 3.6 and Hue 3.7
Impact An attacker can gain access to information maintained by the browser, including sensitive page content and cookies. XSS can also crash or block the use of a web page.
Severity High
Bug Tracking MapR bug 22838; see also HUE-2396
Immediate Action Required Customers on Hue 3.6 should download the 1604 version of Hue from http://package.mapr.com/releases/ or request it from support@mapr.com.

Customers on Hue 3.7 should upgrade to Hue 3.8.1 or above.

Patch For customers on Hue 3.6, the 1604 ecosystem release of Hue 3.6 from MapR contains a patch for this vulnerability. Download to the latest mapr-ecosystem RPM for your operating system from the following location: http://package.mapr.com/releases/ecosystem-4.x/
For customers on Hue 3.7 that need to upgrade to Hue 3.8.1 or above, download the latest mapr-ecosystem RPM for your operating system from one of the following locations:
  • For MapR 4.x clusters: http://package.mapr.com/releases/ecosystem-4.x/
  • For MapR 5.x clusters: http://package.mapr.com/releases/ecosystem-5.x/