Bug 1848092 (CVE-2019-16769)

Summary: CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adsoni, alegrand, anpicker, bdettelb, bmontgom, cmoore, eparis, erooth, fdeutsch, gmccullo, gparvin, jburrell, jokerman, jramanat, jschorr, jweiser, kakkoyun, kaycoth, kconner, lcosic, mloibl, nstielau, pkrupa, rcernich, sdunning, sponnaga, stcannon, surbania, tfister, thee, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: npm-serialize-javascript 2.1.1 Doc Type: If docs needed, set a value
Doc Text:
A XSS flaw was found in npm-serialize-javascript. It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-01 19:28:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1849464, 1849465, 1850178, 1850922, 1851815    
Bug Blocks: 1848093    

Description Guilherme de Almeida Suckevicz 2020-06-17 16:41:06 UTC 
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Reference:
https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx
Comment 1 Mark Cooper 2020-06-18 07:57:09 UTC 
Statement:

In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable serialize-javascript library to authenticated users only, therefore the impact is low.
Comment 6 Mark Cooper 2020-06-22 01:27:21 UTC 
OpenShift (OCP) 4.x includes a vulnerable version of serialize-javascript (v1.7.0) in containers openshift4/ose-grafana and openshift4/ose-prometheus.

OpenShift ServiceMesh (OSSM) 1.1.x only, includes a vulnerable version (v1.7.0) in the openshift-service-mesh/grafana-rhel8 container.
Comment 9 Jason Shepherd 2020-06-23 22:58:32 UTC 
Upstream patch:
https://github.com/yahoo/serialize-javascript/commit/16a68ab53d9626fc7c942b48a1163108fcd184c8
Comment 14 errata-xmlrpc 2020-07-01 18:46:09 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
Comment 15 Product Security DevOps Team 2020-07-01 19:28:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16769
Comment 16 errata-xmlrpc 2020-10-27 16:24:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298