Bug 1695901 (CVE-2019-10179)

Summary: CVE-2019-10179 pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aakkiang, alee, ascheel, carnil, cbuissar, cfu, edewata, gkapoor, jmagne, kwright, mharmsen, prisingh, rhcs-maint, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:21:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1724713, 1724714, 1797689, 1842734, 1926316, 1926317    
Bug Blocks: 1695902    

Description Pedro Sampaio 2019-04-03 21:19:03 UTC 
A flaw was found in recoveryID search field at KRA's DRM agent page in authorize recovery tab, this user input is not being sanitized and therefore it is vulnerable to a reflected XSS.
Comment 1 Cedric Buissart 2019-05-29 09:44:18 UTC 
Acknowledgments:

Name: Pritam Singh (Red Hat)
Comment 7 Cedric Buissart 2020-02-03 16:30:40 UTC 
Statement:

This vulnerability is rated Low : the web UI uses client TLS authentication, therefore stealing session cookies will not be sufficient for unauthorized access. The vulnerable page itself does not contain secrets.
Comment 8 Cedric Buissart 2020-02-03 16:31:08 UTC 
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1797689]
Comment 9 Salvatore Bonaccorso 2020-02-07 06:28:57 UTC 
Do you know if this was reported in the upstream issue tracker and there is a fix?
Comment 10 Cedric Buissart 2020-02-07 14:02:39 UTC 
Upstream is aware. There is currently no fix.
However, the security consequences are very limited. 
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. 
At the moment, the only concerns are defacing.

If/when there is a fix upstream, it will be posted on this bug tracker.

I hope this helps!
Comment 11 Product Security DevOps Team 2020-11-04 02:21:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10179
Comment 12 errata-xmlrpc 2020-11-04 03:14:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847
Comment 13 Alex Scheel 2020-12-02 16:49:19 UTC 
Fixed by 8884b4344225bd6656876d9e2a58b3268e9a899b and a93a65be0b1bcf94e004ba59c6a0c8a2c086936f upstream.
Comment 14 errata-xmlrpc 2021-03-15 13:25:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0819 https://access.redhat.com/errata/RHSA-2021:0819
Comment 15 errata-xmlrpc 2021-03-16 13:48:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0851 https://access.redhat.com/errata/RHSA-2021:0851
Comment 16 errata-xmlrpc 2021-03-23 16:46:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0975 https://access.redhat.com/errata/RHSA-2021:0975