SynopsisThe remote Crucible server is affected by multiple attack vectors.
DescriptionVersions of Crucible 3.9.x prior to 3.9.2 are affected by multiple vulnerabilities :
- An unspecified flaw may allow an attacker to bypass Cross-Site Request Forgery (CSRF) protection mechanisms and conduct CSRF attacks. No further details have been provided by the vendor.
- A flaw exists that is triggered when handling HTTP requests containing newline characters. This may allow a remote attacker to inject forged content into log files.
- A flaw exists in the REST API that may allow a remote attacker to gain unauthorized access to a review of the patch list and the contents of patches.
SolutionUpgrade to Crucible version 3.9.2 or later.