Cross-Site Scripting (XSS) Vulnerability for Hue
This section describes a XSS security issue with Hue.
|Vulnerability||HUE’s home page and its beeswax application are vulnerable to XSS attacks. These pages are susceptible to malicious user input, as the input on these pages is not html encoded.|
|Details||For Hue 3.6, beeswax query submission and the creation of projects are
susceptible to malicious scripts.
For Hue 3.7, the beeswax query submission issue was resolved by HUE-2345 but project creation is still susceptible to malicious scripts.
|Products Affected||Hue 3.6 and Hue 3.7|
|Impact||An attacker can gain access to information maintained by the browser, including sensitive page content and cookies. XSS can also crash or block the use of a web page.|
|Bug Tracking||MapR bug 22838; see also HUE-2396|
|Immediate Action Required||Customers on Hue 3.6 should download the 1604 version of Hue from
http://package.mapr.com/releases/ or request it from email@example.com.
Customers on Hue 3.7 should upgrade to Hue 3.8.1 or above.
|Patch||For customers on Hue 3.6, the 1604 ecosystem release of Hue 3.6 from MapR
contains a patch for this vulnerability. Download to the latest mapr-ecosystem RPM for
your operating system from the following location:
For customers on Hue 3.7 that need to upgrade to Hue 3.8.1 or above, download the latest mapr-ecosystem RPM for your operating system from one of the following locations: