Software Engineering Institute

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-8246

CA LISA Release Automation 4.7.1.385 contains a global Cross-Site Request Forgery (CSRF) vulnerability. The application allows a malicious user to perform actions on the site with the same permissions as the victim. This vulnerability requires the attacker to be authenticated and have an active session.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-8247

CA Release Automation 4.7.1.385 contains a global cross-site scripting (XSS) vulnerability in the server exception message.

CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2014-8248

CA Release Automation 4.7.1.385 contains a SQL injection vulnerability in the filter and parent parameters. This vulnerability may allow an authenticated attacker to elevate privileges by extracting the hash of the administrator user.

Note: the CVSS score reflects CVE-2014-8246

A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session, elevate privileges, or perform actions as an authenticated user.

Apply an Update
CA has developed a hotfix which is available on their site. The b448 hotfix includes patches for all of the listed vulnerabilities. Please see CA's security notice for more details.