Bug 1668089 (CVE-2018-20677)
Summary: | CVE-2018-20677 bootstrap: XSS in the affix configuration target property | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abergmann, abokovoy, aileenc, alazarot, amctagga, anstephe, aoconnor, apevec, aturgema, bdettelb, bkearney, bniver, chazlett, cheimes, dajohnso, dbecker, dblechte, dfediuck, dmetzger, dmoppert, drieden, eedri, eglynn, etirelli, flucifre, frenaud, gblomqui, gmalinko, gmccullo, gmeno, gtanzill, ibek, idm-ds-dev-bugs, janstey, jfrey, jhardy, jjoyce, jkozol, jpavlik, jprause, jschluet, jwendell, kbasil, kdixon, krathod, kverlaen, lhh, lpeer, lpetrovi, mbenjamin, mburns, meissner, mgarciac, mgoldboi, mhackett, michal.skrivanek, mkosek, mperina, mpitt, muagarwa, myarboro, obarenbo, ocs-bugs, omachace, omajid, paradhya, pdelbell, pdrozd, pjindal, rcernich, rcritten, rhcs-maint, rhos-maint, rhos-maint, roliveri, rrajasek, rsynek, rzhang, sbonazzo, sclewis, sdaley, sgratch, sherold, simaishi, slinaber, sostapov, spower, sthorger, tlestach, tscherf, twalsh, twoerner, vereddy, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | bootstrap 3.4.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the affix configuration target property. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-12 13:06:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1668093, 2183412, 1668090, 1668091, 1668092, 1673130, 1673131, 1673132, 1673133, 1673134, 1673210, 1740983, 1811966, 1811967, 2183413, 2183414, 2183415 | ||
Bug Blocks: | 1668094 |
Description
Laura Pardo
2019-01-21 21:31:50 UTC
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.2 zip Via RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:1456 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20677 This vulnerability was addressed Red Hat Virtualization 4.3 package ovirt-engine-api-explorer via https://access.redhat.com/errata/RHBA-2019:1570 Statement: Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all. Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3. This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Via RHSA-2019:3023 https://access.redhat.com/errata/RHSA-2019:3023 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:0132 https://access.redhat.com/errata/RHSA-2020:0132 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:0133 https://access.redhat.com/errata/RHSA-2020:0133 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3936 https://access.redhat.com/errata/RHSA-2020:3936 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4670 https://access.redhat.com/errata/RHSA-2020:4670 This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:5571 https://access.redhat.com/errata/RHSA-2020:5571 Fuse-7 is in maintenance and JDG-7 is in ELS-1. Both are OOSS. This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:5693 https://access.redhat.com/errata/RHSA-2023:5693 |