Bug 1721137 (CVE-2019-10180)
| Summary: | CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alee, carnil, cbuissar, cfu, dsirrine, edewata, jmagne, mharmsen, prisingh, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was found that the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-23 17:35:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1724697, 1793076, 1798080, 1931715 | ||
| Bug Blocks: | 1721139 | ||
|
Description
msiddiqu
2019-06-17 12:57:19 UTC
Acknowledgments: Name: Pritam Singh (Red Hat) Reducing the severity to Low : the attacker needs to be able to modify the token policies in order to store the javascript code. This requires high privileges. Created pki-core tracking bugs for this issue: Affects: fedora-all [bug 1798080] Do you know if this was reported in the upstream issue tracker and there is a fix? Upstream is aware. There is currently no fix. I will check for upstream issue tracker. However, the security consequences are very limited. e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. At the moment, the only concerns are defacing. If/when there is a fix upstream, it will be posted on this bug tracker. I hope this helps! This issue has been addressed in the following products: Red Hat Certificate System 9.7 Via RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0947 This issue has been addressed in the following products: Red Hat Certificate System 9.4 EUS Via RHSA-2021:0948 https://access.redhat.com/errata/RHSA-2021:0948 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10180 Hi (In reply to Cedric Buissart from comment #10) > Upstream is aware. There is currently no fix. I will check for upstream > issue tracker. > > However, the security consequences are very limited. > e.g. : Thanks to the webUI using client side TLS authentication, stealing a > cookie will not be of much use to the attacker. > At the moment, the only concerns are defacing. > > If/when there is a fix upstream, it will be posted on this bug tracker. > > I hope this helps! Do you have a reference for the upstream issue and fix? Noticed that RHSA were posted for it, so assume it was fixed in meanwhile, do you know more? Thanks already! Hello Salvatore, Apologies for the delayed answer. Thanks for pointing this out! The 3 XSS that affected TPS (CVE-2020-1696, CVE-2019-10180 and CVE-2019-10178) have been fixed via this commit: https://github.com/dogtagpki/pki/commit/1dbb07f8e41b4809b0f41a7643c37301fcf712d8 |