It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information.
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fuse | Redhat | * | 7.5.0 (excluding) |
| Syndesis | Redhat | - (including) | - (including) |
| Red Hat Fuse 7.4.1 | RedHat | syndesis-server | * |
| Red Hat Fuse 7.5.0 | RedHat | syndesis-server | * |
If a cross-domain policy file includes domains that should not be trusted, such as when using wildcards under a high-level domain, then the application could be attacked by these untrusted domains. In many cases, the attack can be launched without the victim even being aware of it.