search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CA LISA Release Automation contains multiple vulnerabilities

Vulnerability Note VU#343060

Original Release Date: 2014-12-15 | Last Revised: 2014-12-17


CA LISA Release Automation contains multiple vulnerabilities


CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-8246

CA LISA Release Automation contains a global Cross-Site Request Forgery (CSRF) vulnerability. The application allows a malicious user to perform actions on the site with the same permissions as the victim. This vulnerability requires the attacker to be authenticated and have an active session.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-8247

CA Release Automation contains a global cross-site scripting (XSS) vulnerability in the server exception message.

CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2014-8248

CA Release Automation contains a SQL injection vulnerability in the filter and parent parameters. This vulnerability may allow an authenticated attacker to elevate privileges by extracting the hash of the administrator user.

Note: the CVSS score reflects CVE-2014-8246


A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session, elevate privileges, or perform actions as an authenticated user.


Apply an Update
CA has developed a hotfix which is available on their site. The b448 hotfix includes patches for all of the listed vulnerabilities. Please see CA's security notice for more details.

Vendor Information


CA Technologies Affected

Notified:  October 23, 2014 Updated: December 17, 2014



Vendor Statement

Issued: December 15, 2014

CA Technologies Support is alerting customers to multiple
vulnerabilities in CA Release Automation (formerly CA LISA Release
Automation, change effective 2014-09-19).

The first vulnerability, CVE-2014-8246, is a cross-site request forgery
(CSRF) issue related to insufficient validation.  A remote attacker can
potentially execute privileged actions on a vulnerable website.

The second vulnerability, CVE-2014-8247, is a cross-site scripting (XSS)
issue caused by insufficient input filtering.  A remote attacker can
execute specially crafted script.

The third vulnerability, CVE-2014-8248, is a SQL injection issue caused
by insufficient input sanitization.  An attacker with a non-privileged
account could utilize a specially crafted query to access privileged

Risk Rating




Affected Products

CA Release Automation 4.7.1 Build 413 and earlier

Unaffected Products

CA Release Automation 4.7.1 Build 448

How to determine if the installation is affected

To confirm that cumulative hot fix b448 is installed, navigate to the
RA â€𕎫out Automation Studioâ€

Vendor Information


Vendor References

CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 6.1 E:POC/RL:U/RC:ND
Environmental 1.5 CDP:N/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Julian Horoszkiewicz and Lukasz Plonka for reporting these vulnerabilities.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2014-8246, CVE-2014-8247, CVE-2014-8248
Date Public: 2014-12-15
Date First Published: 2014-12-15
Date Last Updated: 2014-12-17 15:41 UTC
Document Revision: 24

Sponsored by CISA.