Bug 1763589 (CVE-2019-14863)

Summary: CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akoufoud, alazarot, almorale, anstephe, etirelli, ibek, jstastny, krathod, kverlaen, mnovotny, oranesteerr, paradhya, rrajasek, rsynek, sdaley
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: angular 1.5.0-beta.0 Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting (XSS) flaw was found in Angular. This flaw occurs due to improper sanitation of xlink:href attributes, which allows the web application to deliver data to users, along with other trusted content, without proper validation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-03 19:04:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1762305    

Description Marian Rehak 2019-10-21 07:03:23 UTC 
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it.
Comment 2 Marian Rehak 2019-10-21 07:28:26 UTC 
External References:

https://snyk.io/vuln/npm:angular:20150807
Comment 5 errata-xmlrpc 2019-12-03 14:58:43 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2019:4069 https://access.redhat.com/errata/RHSA-2019:4069
Comment 6 errata-xmlrpc 2019-12-03 15:13:57 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2019:4071 https://access.redhat.com/errata/RHSA-2019:4071
Comment 7 Product Security DevOps Team 2019-12-03 19:04:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14863
Comment 8 Orion 2023-11-23 09:53:46 UTC 
Hey there. I feel your pain with the Rhel node issue. It's frustrating when things go south, especially with the intricate dance of enabling FIPS on a Rhel VM. I've run into similar hurdles, and it can be a head-scratcher.

Now, about your hiccup, it seems like the FIPS integrity test is throwing a curveball during the Rhel node startup. Given your steps, it might be worthwhile to double-check the FIPS configuration and ensure it aligns seamlessly with the OCP installation. Sometimes, these finicky issues boil down to the order of operations.

Consider revisiting the FIOS setup on the Rhel VM, ensuring a snug fit with the public image. I'd recommend exploring any specific quirks tied to that AWS image (ami-0e166e72fda655c63). Also, a quick dive into the AWS community forums might unveil experiences from fellow adventurers. I would suggest starting here: https://andersenlab.com/find-developers/angular

Hang in there... Bugs can be elusive, but so is your determination.