Bug 1360286 (CVE-2016-7103)

Summary: CVE-2016-7103 jquery-ui: cross-site scripting in dialog closeText
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, ayoung, bkearney, cbillett, chrisw, cvsbot-xmlrpc, gmollett, jjoyce, jmatthew, jschluet, kbasil, lhh, lpeer, markmc, mburns, meissner, mmccune, mrunge, ohadlevy, pvalena, rbryant, rdopiera, rhos-maint, satellite6-bugs, sclewis, srevivo, strzibny, tdecacqu, thomas, tkasparek, tlestach, tsanders
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jquery-ui 1.12.0 Doc Type: Bug Fix
Doc Text:
It was found that a parameter of the dialog box feature of jQuery UI was vulnerable to cross site scripting. An attacker could use this flaw to execute a malicious script via the dialog box when it was displayed to a user.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:56:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1438799, 1438800, 1360289, 1360290, 1360291, 1371008, 1371010, 1371011, 1371012, 1371013, 1371014, 1371015, 1371016    
Bug Blocks: 1360295    

Description Martin Prpič 2016-07-26 12:00:52 UTC
It was found that jQuery-UI, a library for manipulating UI elements via jQuery, has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If an application passes user input to this parameter, it may be vulnerable to XSS.

Upstream patch:

https://github.com/jquery/jquery-ui/pull/1622

External References:

https://nodesecurity.io/advisories/127

Comment 1 Martin Prpič 2016-07-26 12:02:27 UTC
Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: fedora-all [bug 1360289]
Affects: epel-7 [bug 1360291]

Comment 2 Martin Prpič 2016-07-26 12:02:46 UTC
Created rubygem-jquery-ui-rails tracking bugs for this issue:

Affects: fedora-all [bug 1360290]

Comment 10 Tim Suter 2016-11-09 01:20:06 UTC
I have downgraded the impact to low as its unlikely that a user controlled variable would be passed to the dialog box close field

Comment 11 errata-xmlrpc 2016-12-08 16:16:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2016:2933 https://rhn.redhat.com/errata/RHSA-2016-2933.html

Comment 12 errata-xmlrpc 2016-12-08 16:17:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2016:2932 https://rhn.redhat.com/errata/RHSA-2016-2932.html

Comment 13 errata-xmlrpc 2017-01-19 13:24:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:0161 https://rhn.redhat.com/errata/RHSA-2017-0161.html

Comment 15 Tim Suter 2017-04-04 12:41:27 UTC
Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: openstack-rdo [bug 1438800]


Created rubygem-jquery-ui-rails tracking bugs for this issue:

Affects: openstack-rdo [bug 1438799]

Comment 16 Tim Suter 2017-04-04 12:42:40 UTC
> can we get a tracker for RDO as it is impacted and was missed when this was created.

Hi Jon,

I've added tracking bugs for both the affected python and ruby libraries in RDO

Comment 17 Kurt Seifried 2017-12-18 22:15:18 UTC
Statement:

Red Hat Enterprise Satellite 5 is now in phase 3 of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.