From 18f75e074cc350dc05e06d247517319ec09cc553 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Mon, 12 Oct 2020 09:50:19 +0200
Subject: [PATCH] Add OSSA-2020-007 (CVE-2020-26943)

Change-Id: I18de37da9f22fe28c60fc1fbfb1322aaaad11b88
Related-Bug: #1895688
---
 ossa/OSSA-2020-007.yaml | 42 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 ossa/OSSA-2020-007.yaml

diff --git a/ossa/OSSA-2020-007.yaml b/ossa/OSSA-2020-007.yaml
new file mode 100644
index 0000000..ee51566
--- /dev/null
+++ b/ossa/OSSA-2020-007.yaml
@@ -0,0 +1,42 @@
+date: 2020-10-12
+
+id: OSSA-2020-007
+
+title: Remote code execution in blazar-dashboard
+
+description: >
+  Lukas Euler (Positive Security) reported a vulnerability in blazar-dashboard.
+  A user allowed to access the Blazar dashboard in Horizon may trigger code
+  execution on the Horizon host as the user the Horizon service runs under.
+  This may result in Horizon host unauthorized access and further compromise of
+  the Horizon service. All setups using the Horizon dashboard with the
+  blazar-dashboard plugin are affected.
+
+affected-products:
+  - product: blazar-dashboard
+    version: '<1.3.1, ==2.0.0, ==3.0.0'
+
+vulnerabilities:
+  - cve-id: CVE-2020-26943
+
+reporters:
+  - name: Lukas Euler
+    affiliation: Positive Security
+    reported:
+      - CVE-2020-26943
+
+issues:
+  links:
+    - https://launchpad.net/bugs/1895688
+
+reviews:
+  wallaby:
+    - https://review.opendev.org/755810
+  victoria:
+    - https://review.opendev.org/756064
+  ussuri:
+    - https://review.opendev.org/755812
+  train:
+    - https://review.opendev.org/755813
+  stein:
+    - https://review.opendev.org/755814