Path traversal vulnerability in Operations Center Context
BEE-56974
Severity (CVSS) : High
Description:
Operations Center Context version 3.27663 and earlier does not sanitize the paths in the tar extraction. This allows attackers with Overall/Administer permission on connected controllers to write to arbitrary file paths on the operations center, ultimately allowing arbitrary remote command execution, for example, through init.groovy.d/
or by deploying a crafted plugin.
Operations Center Context 3.27663 or later sanitizes the path in the tar when extracting it thereby preventing malicious attacks.
CSRF vulnerability in Operations Center Context
BEE-56975
Severity (CVSS): Medium
Description:
Operations Center Context before 3.27683 does not require POST for the HTTP endpoint to move or copy items, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to perform move/copy/promote actions.
Operations Center Context 3.27683 requires POST for the affected HTTP endpoint.