PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5737 Openstack CVE debrief

CVE-2016-5737 is a cross-site scripting issue in OpenStack's puppet-gerrit configuration. The problem is that text/html is incorrectly marked as a safe mimetype, which can let a crafted review render as active HTML in a user's browser. The issue was publicly recorded by NVD on 2017-01-12, with a patch reference already available in the upstream commit and oss-security disclosure referenced by the CVE record.

Vendor
Openstack
Product
CVE-2016-5737
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-12
Original CVE updated
2026-05-13
Advisory published
2017-01-12
Advisory updated
2026-05-13

Who should care

Administrators and maintainers using the OpenStack puppet-gerrit module, especially anyone deploying Gerrit through Puppet and relying on its safe-mimetype settings. Teams responsible for reviewing configuration changes, web-facing code review workflows, and browser-based admin access should treat this as relevant.

Technical summary

NVD maps this issue to CWE-79 and describes it as a Gerrit configuration problem in puppet-gerrit that marks text/html as a safe mimetype. That unsafe trust decision can cause crafted review content to be interpreted as HTML, creating a reflected or stored XSS condition depending on how the review content is served and viewed. NVD's vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, no privileges required, and user interaction.

Defensive priority

Medium. The CVSS score is 6.1 and the attack requires user interaction, but the impact includes confidentiality and integrity exposure in a browser context. Prioritize remediation if the module is still deployed or if Gerrit review content can be rendered with trusted HTML handling.

Recommended defensive actions

  • Update or backport the upstream puppet-gerrit fix referenced in the project commit 8573c2ee172f66c1667de49685c88fdc8883ca8b.
  • Review Gerrit and puppet-gerrit configuration to ensure text/html is not treated as a safe mimetype unless there is a documented and controlled need.
  • Validate that review content is escaped or rendered safely in the web UI after configuration changes.
  • Audit any downstream Puppet manifests or overrides that may reintroduce the unsafe mimetype setting.
  • Check whether users with browser access to Gerrit may have been exposed before remediation, and rotate or review sessions if your incident process calls for it.

Evidence notes

The CVE description states that the OpenStack Puppet module for Gerrit improperly marks text/html as a safe mimetype, enabling XSS via a crafted review. NVD lists CWE-79 and the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The official references include the oss-security thread and the upstream GitHub commit, which serve as patch and disclosure evidence.

Official resources

Publicly disclosed in the CVE record on 2017-01-12, with upstream patch/reference material linked from June 2016 in the CVE metadata. Use the CVE published date, not later record modification dates, for vulnerability timing context.