Vulnerability Note VU#343060

CA LISA Release Automation contains multiple vulnerabilities

Original Release date: 15 Dec 2014 | Last revised: 17 Dec 2014


CA LISA Release Automation contains multiple vulnerabilities


CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-8246

CA LISA Release Automation contains a global Cross-Site Request Forgery (CSRF) vulnerability. The application allows a malicious user to perform actions on the site with the same permissions as the victim. This vulnerability requires the attacker to be authenticated and have an active session.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-8247

CA Release Automation contains a global cross-site scripting (XSS) vulnerability in the server exception message.

CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2014-8248

CA Release Automation contains a SQL injection vulnerability in the filter and parent parameters. This vulnerability may allow an authenticated attacker to elevate privileges by extracting the hash of the administrator user.

Note: the CVSS score reflects CVE-2014-8246


A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session, elevate privileges, or perform actions as an authenticated user.


Apply an Update
CA has developed a hotfix which is available on their site. The b448 hotfix includes patches for all of the listed vulnerabilities. Please see CA's security notice for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CA TechnologiesAffected23 Oct 201417 Dec 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 6.1 E:POC/RL:U/RC:ND
Environmental 1.5 CDP:N/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Julian Horoszkiewicz and Lukasz Plonka for reporting these vulnerabilities.

This document was written by Chris King.

Other Information


If you have feedback, comments, or additional information about this vulnerability, please send us email.