CVE-2022-28109

Опубликовано: 15 апр. 2022

Источник: redhat

CVSS3: 8.8

Описание

Selenium Selenium Grid (formerly Selenium Standalone Server) Fixed in 4.0.0-alpha-7 is affected by: DNS rebinding. The impact is: execute arbitrary code (remote). The component is: WebDriver endpoint of Selenium Grid / Selenium Standalone Server. The attack vector is: Triggered by browsing to to a malicious remote web server. The WebDriver endpoint of Selenium Server (Grid) is vulnerable to DNS rebinding. This can be used to execute arbitrary code on the machine.

A flaw was found in the WebDriver endpoint of Selenium Grid suite. A malicious web server can be reached via Cross-Site Request Forgery (CSRF) and DNS-rebinding attacks. This issue could allow an attacker to execute arbitrary code on the machine.

Отчет

dotnet is not affected by this flaw because it ships a newer version of the code.

Затронутые пакеты

Платформа	Пакет	Состояние
.NET 6.0 on Red Hat Enterprise Linux	rh-dotnet60-dotnet	Not affected
.NET Core 5.0 on Red Hat Enterprise Linux	rh-dotnet50-dotnet	Out of support scope
Red Hat Advanced Cluster Management for Kubernetes 2	rhacm2/application-ui-rhel8	Not affected
Red Hat Advanced Cluster Management for Kubernetes 2	rhacm2/mcm-topology-rhel8	Not affected
Red Hat Enterprise Linux 8	dotnet5.0	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-352

https://bugzilla.redhat.com/show_bug.cgi?id=2076358selenium-standalone: DNS-rebinding vulnerability

8.8 High

CVSS3

Связанные уязвимости

CVE-2022-28109

CVSS3: 8.8

nvd

почти 4 года назад

GHSA-r2fp-xp6r-99gj

CVSS3: 8.8

github

почти 4 года назад

8.8 High

CVSS3