'[oss-security] CVE-2024-24683: Apache Hop Engine: ID isn't escaped when generating HTML'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2024-24683: Apache Hop Engine: ID isn't escaped when generating HTML
From:       Hans Van Akelyen <hansva () apache ! org>
Date:       2024-03-18 20:02:00
Message-ID: 10544beb-6e33-1f1d-ab77-0c6e221fd2ac () apache ! org
[Download RAW message or body]

Severity: low

Affected versions:

- Apache Hop Engine before 2.8.0

Description:

Improper Input Validation vulnerability in Apache Hop Engine.This issue affects Apache Hop \
Engine: before 2.8.0.

Users are recommended to upgrade to version 2.8.0, which fixes the issue.

When Hop Server writes links to the  PrepareExecutionPipelineServlet page one of the parameters \
provided to the user was not properly escaped. The variable not properly escaped is the "id", \
which is not directly accessible by users creating pipelines making the risk of exploiting this \
low.

This issue only affects users using the Hop Server component and does not directly affect the \
client.

Credit:

Jonathan Leitschuh (finder)

References:

https://hop.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-24683

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic