Bug 1850004 (CVE-2020-11023)

Summary: CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, agerstmayr, aileenc, akarol, alegrand, amctagga, anpicker, anprice, aos-bugs, apevec, bmontgom, bpeterse, cbuissar, cfeist, chazlett, cluster-maint, cmeyers, dbecker, dblechte, dfediuck, dmetzger, drieden, eedri, eparis, erooth, extras-orphan, fedora, frenaud, ganandan, gblomqui, ggaughan, gmainwar, gmalinko, gmccullo, gtanzill, hhorak, hvyas, idevat, janstey, jburrell, jfearn, jfrey, jhardy, jjoyce, jkurik, jochrist, jokerman, jorton, jpallich, jschluet, jshepherd, jsmith.fedora, jwon, kakkoyun, kbasil, kconner, krathod, lcosic, lewk, lhh, lpeer, mabashia, maschmid, mburns, mcooper, mcressma, mgoldboi, mgoodwin, michal.skrivanek, mlisik, mloibl, mpitt, mpospisi, mrunge, nathans, nobody, nodejs-sig, notting, nstielau, obarenbo, omachace, omular, openstack-sig, patrickm, pcp-maint, pdrozd, peter, pjindal, pkrupa, puebele, puiterwijk, python-maint, qguo, rcernich, rcritten, rdopiera, rhcs-maint, Rhev-m-bugs, rhos-maint, roliveri, rpetrell, ruby-maint, rulong, sbonazzo, sclewis, security-response-team, sgratch, shawn, sherold, simaishi, slavek.kabrda, slinaber, smallamp, smcdonal, sponnaga, sthorger, stickster, strzibny, surbania, tojeline, tross, tscherf, twoerner, vbellur, vondruch, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jQuery 3.5.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jQuery in versions beginning in 1.0.3 through 3.5.0. HTML containing <option> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-02 13:27:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1850006, 1850007, 1850008, 1850009, 1850011, 1850014, 1850015, 1850016, 1850018, 1850019, 1850020, 1850021, 1850022, 1850982, 1851296, 1852327, 1852330, 1852401, 1852402, 1852403, 1859248, 1859249, 1882291, 1882292, 1882296, 1889869, 1828636, 1850010, 1850012, 1850013, 1850017, 1850023, 1851251, 1851252, 1851253, 1851295, 1852328, 1852329, 1852400, 1859250, 1859251, 1859253, 1859254, 1859255, 1859291, 1859292, 1859293, 1882717, 1888387    
Bug Blocks: 1850024    

Description Michael Kaplan 2020-06-23 12:03:01 UTC
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

References:

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
https://jquery.com/upgrade-guide/3.5/
https://security.netapp.com/advisory/ntap-20200511-0006/
https://www.debian.org/security/2020/dsa-4693
https://www.drupal.org/sa-core-2020-002

Comment 1 Michael Kaplan 2020-06-23 12:05:40 UTC
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1850023]
Affects: fedora-all [bug 1850013]


Created js-jquery tracking bugs for this issue:

Affects: epel-7 [bug 1850008]
Affects: fedora-all [bug 1850015]


Created js-jquery1 tracking bugs for this issue:

Affects: epel-7 [bug 1850006]
Affects: fedora-all [bug 1850022]


Created js-jquery2 tracking bugs for this issue:

Affects: fedora-all [bug 1850016]


Created python-XStatic-jQuery tracking bugs for this issue:

Affects: epel-7 [bug 1850007]
Affects: fedora-all [bug 1850018]
Affects: openstack-rdo [bug 1850011]


Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: epel-7 [bug 1850010]
Affects: fedora-all [bug 1850017]
Affects: openstack-rdo [bug 1850012]


Created python-tw-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1850014]


Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1850021]
Affects: epel-7 [bug 1850009]
Affects: fedora-all [bug 1850020]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1850019]

Comment 8 Mark Cooper 2020-06-25 06:43:09 UTC
OpenShift ServiceMesh includes a vulnerable version of jquery (3.4.1) in servicemesh-grafana.

Comment 9 Mark Cooper 2020-06-25 07:00:12 UTC
[edited] Upstream fix: https://github.com/jquery/jquery/commit/966a70909019aa09632c87c0002c522fa4a1e30e

In the advisory from jquery they talk about removing the regex functionality from htmlPrefilter, "The jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through unchanged."

Comment 10 Mark Cooper 2020-06-25 07:06:21 UTC
Further to #comment8 grafana actually do package jquery 3.5.0, included as a patch in the RPM and hence is not affected.

Comment 17 Summer Long 2020-06-26 04:29:47 UTC
External References:

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Comment 20 Hardik Vyas 2020-06-30 10:56:31 UTC
Below storage products includes vulnerable version of jQuery in grafana and grafana-container:

Ceph-3 grafana : jquery-3.3.1
Ceph-3 grafana-container : jquery-3.3.1
Ceph-4 grafana-container : jquery-3.3.1
Gluster grafana : jquery-3.2.1

Comment 24 errata-xmlrpc 2020-07-02 13:21:56 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.1

Via RHSA-2020:2813 https://access.redhat.com/errata/RHSA-2020:2813

Comment 25 Product Security DevOps Team 2020-07-02 13:27:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11023

Comment 26 errata-xmlrpc 2020-07-13 17:23:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412

Comment 30 errata-xmlrpc 2020-08-04 13:16:03 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247

Comment 31 errata-xmlrpc 2020-08-06 20:17:46 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1
  Openshift Service Mesh 1.1

Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369

Comment 34 errata-xmlrpc 2020-09-23 16:10:50 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3807 https://access.redhat.com/errata/RHSA-2020:3807

Comment 38 Cedric Buissart 2020-09-24 09:27:09 UTC
Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 1882296]

Comment 47 errata-xmlrpc 2020-10-08 06:59:57 UTC
This issue has been addressed in the following products:

  A-MQ Interconnect 1.y for RHEL 7
  A-MQ Interconnect 1.y for RHEL 6
  A-MQ Interconnect 1.y for RHEL 8

Via RHSA-2020:4211 https://access.redhat.com/errata/RHSA-2020:4211

Comment 48 Cedric Buissart 2020-10-08 08:38:23 UTC
Statement:

Red Hat Enterprise Linux version 6, 7 and 8 ship a vulnerable version of JQuery in the `pcs` component. However the vulnerable has not been found to be exploitable in reasonable scenarios. A future update may update JQuery to a fixed version.

Comment 52 errata-xmlrpc 2020-10-27 16:24:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298

Comment 53 errata-xmlrpc 2020-11-04 03:14:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847