Bug 1399546 (CVE-2015-9251)

Summary: CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, aboyko, ahenning, aileenc, amasferr, aortega, apevec, asoldano, ayoung, bbaranow, bdettelb, bkearney, bmaxwell, brian.stansberry, cbillett, cdewolf, cfeist, chazlett, chrisw, cluster-maint, ctowsley, cvsbot-xmlrpc, darran.lofthouse, dkreling, dmcphers, dosoudil, drieden, fjuma, frenaud, ggaughan, hhorak, idevat, iweiss, janstey, jialiu, jjoyce, jmatthew, jochrist, jokerman, jorton, jschluet, jschorr, jshepherd, jwon, katello-bugs, kbasil, krathod, kseifried, lgao, lhh, lmeyer, lpeer, markmc, mburns, mkudlej, mlisik, mmccomas, mmccune, mosmerov, mpospisi, mrunge, msochure, msvehla, nwallace, ohadlevy, omular, pjindal, pmackay, psampaio, pskopek, rbean, rbryant, rcritten, rdopiera, rhcs-maint, rhos-maint, rstancel, satellite6-bugs, sclewis, scorneli, security-response-team, sguilhen, slinaber, slong, smaestri, srevivo, strzibny, tchollingsworth, tdecacqu, tiwillia, tjay, tjochec, tlestach, tojeline, tomckay, tom.jenkinson, tsanders, tscherf, twoerner, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jquery 3.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-31 01:53:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1399547, 1399548, 1399549, 1399550, 1399551, 1399552, 1399553, 1399554, 1399556, 1447007, 1447008, 1447011, 1812020, 1812021, 1812022, 1812023    
Bug Blocks: 1399561, 1591854    

Description Andrej Nemec 2016-11-29 09:53:29 UTC 
jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Upstream bug:

https://github.com/jquery/jquery/issues/2432

Upstream patch:

https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614
Comment 1 Andrej Nemec 2016-11-29 09:56:13 UTC 
Created python-tw2-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1399551]
Affects: epel-all [bug 1399552]
Comment 2 Andrej Nemec 2016-11-29 09:56:38 UTC 
Created js-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1399549]
Affects: epel-7 [bug 1399550]
Comment 3 Andrej Nemec 2016-11-29 09:56:56 UTC 
Created js-jquery1 tracking bugs for this issue:

Affects: fedora-all [bug 1399547]
Affects: epel-7 [bug 1399548]
Comment 4 Andrej Nemec 2016-11-29 09:57:17 UTC 
Created python-XStatic-jQuery tracking bugs for this issue:

Affects: fedora-all [bug 1399553]
Affects: epel-7 [bug 1399554]
Comment 5 Andrej Nemec 2016-11-29 09:57:36 UTC 
Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1399556]
Comment 11 Tim Suter 2017-05-02 06:43:09 UTC 
wontfixing openstack p2 products
Comment 12 James Hebden 2018-07-04 23:33:21 UTC 
*** Bug 1591857 has been marked as a duplicate of this bug. ***
Comment 20 Tomas Jelinek 2020-02-07 16:18:43 UTC 
Re: pcsd concerns - comment 17

All the ajax calls in pcsd are internal, i.e. pcsd is calling itself via ajax. Therefore, I do not think the vulnerability has any security impact.
Comment 21 errata-xmlrpc 2020-02-12 15:26:50 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 6.3

Via RHSA-2020:0481 https://access.redhat.com/errata/RHSA-2020:0481
Comment 22 errata-xmlrpc 2020-03-05 13:12:56 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.5

Via RHSA-2020:0729 https://access.redhat.com/errata/RHSA-2020:0729
Comment 24 errata-xmlrpc 2020-03-26 15:47:08 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
Comment 25 errata-xmlrpc 2020-09-29 19:57:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3936 https://access.redhat.com/errata/RHSA-2020:3936
Comment 26 errata-xmlrpc 2020-11-04 02:50:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4670 https://access.redhat.com/errata/RHSA-2020:4670
Comment 27 errata-xmlrpc 2020-11-04 03:14:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847
Comment 30 errata-xmlrpc 2023-01-31 13:09:41 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:0553 https://access.redhat.com/errata/RHSA-2023:0553
Comment 31 errata-xmlrpc 2023-01-31 13:14:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:0552 https://access.redhat.com/errata/RHSA-2023:0552
Comment 32 errata-xmlrpc 2023-01-31 13:17:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:0554 https://access.redhat.com/errata/RHSA-2023:0554
Comment 33 errata-xmlrpc 2023-01-31 13:18:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2023:0556 https://access.redhat.com/errata/RHSA-2023:0556