Bug 1850119 (CVE-2020-7656)
| Summary: | CVE-2020-7656 jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, agerstmayr, aileenc, akarol, alazarot, alegrand, amasferr, anpicker, anprice, anstephe, aos-bugs, apevec, bmontgom, cfeist, chazlett, cluster-maint, dbecker, dblechte, dfediuck, dmetzger, drieden, eedri, emingora, eparis, erooth, etirelli, extras-orphan, fedora, frenaud, ganandan, ggaughan, gmalinko, gmccullo, gtanzill, hhorak, hvyas, ibek, idevat, janstey, jburrell, jfrey, jhardy, jjoyce, jkurik, jochrist, jokerman, jorton, jpallich, jrokos, jschluet, jsmith.fedora, jstastny, jwon, kakkoyun, kconner, krathod, kverlaen, lcosic, lewk, lhh, lpeer, maschmid, mburns, mcooper, mcressma, mgoldboi, mgoodwin, michal.skrivanek, mkudlej, mlisik, mloibl, mnovotny, mpospisi, mrunge, nathans, nobody, nodejs-sig, nstielau, obarenbo, omachace, omular, openstack-sig, patrickm, pcp-maint, pdrozd, peter.borsa, pjindal, pkrupa, puebele, puiterwijk, python-maint, rcernich, rcritten, rdopiera, rguimara, rhcs-maint, Rhev-m-bugs, rhos-maint, roliveri, rrajasek, ruby-maint, sbonazzo, sclewis, sgratch, shawn, sherold, simaishi, slavek.kabrda, slinaber, smallamp, sponnaga, sthorger, stickster, strzibny, surbania, tjochec, tojeline, tross, tscherf, twoerner, tzimanyi, vondruch, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jquery 1.9.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in jquery in versions prior to 1.9.0. A cross-site scripting attack is possible as the load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character which results in the enclosed script logic to be executed. The highest threat from this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-08 08:21:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1850120, 1850121, 1850123, 1850125, 1850126, 1850127, 1850128, 1850129, 1850130, 1850131, 1850132, 1850133, 1850134, 1850135, 1850136, 1850137, 1850138, 1850139, 1859615, 1859616, 1859617, 1859618, 1859619, 1886340, 1886341, 1886342, 1910644 | ||
| Bug Blocks: | 1850024 | ||
|
Description
Michael Kaplan
2020-06-23 15:07:57 UTC
Created drupal7 tracking bugs for this issue: Affects: epel-all [bug 1850138] Affects: fedora-all [bug 1850136] Created js-jquery tracking bugs for this issue: Affects: epel-7 [bug 1850123] Affects: fedora-all [bug 1850127] Created js-jquery1 tracking bugs for this issue: Affects: epel-7 [bug 1850134] Affects: fedora-all [bug 1850133] Created js-jquery2 tracking bugs for this issue: Affects: fedora-all [bug 1850126] Created python-XStatic-jQuery tracking bugs for this issue: Affects: epel-7 [bug 1850139] Affects: fedora-all [bug 1850129] Affects: openstack-rdo [bug 1850135] Created python-XStatic-jquery-ui tracking bugs for this issue: Affects: epel-7 [bug 1850121] Affects: fedora-all [bug 1850128] Affects: openstack-rdo [bug 1850125] Created python-tw-jquery tracking bugs for this issue: Affects: epel-6 [bug 1850137] Created python-tw2-jquery tracking bugs for this issue: Affects: epel-6 [bug 1850132] Affects: epel-7 [bug 1850120] Affects: fedora-all [bug 1850131] Created rubygem-jquery-rails tracking bugs for this issue: Affects: fedora-all [bug 1850130] OpenShift ServiceMesh includes jquery versions not vulnerable to this flaw: - kiali jquery v3.5.0 - servicemesh-grafana jquery v3.5.0 Removing Satellite 5 from affects list since it is EOL. CloudForms do not use version less than 1.9.0 hence not affected. [ytale@cordelia]# grep -inr "jQuery JavaScript Library v" jquery.js:2: * jQuery JavaScript Library v1.12.4 jquery2.js:2: * jQuery JavaScript Library v2.2.4 jquery3.js:2: * jQuery JavaScript Library v3.4.1 All OpenShift Container Platform components which include jQuery include a version later than 1.9.0 and are therefore unaffected by this flaw. Non of the storage products include affected version of jQuery, hence not affected by this flaw. Ceph-3 grafana : jquery-3.3.1 Ceph-3 grafana-container : jquery-3.3.1 Ceph-4 grafana-container : jquery-3.3.1 Gluster grafana-4.6.4-1.el7rhgs : jquery-3.2.1 RHEV-M projects use jquery 3.4.1 thus not affected This issue has been addressed in the following products: A-MQ Interconnect 1.y for RHEL 7 A-MQ Interconnect 1.y for RHEL 6 A-MQ Interconnect 1.y for RHEL 8 Via RHSA-2020:4211 https://access.redhat.com/errata/RHSA-2020:4211 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7656 Created pcs tracking bugs for this issue: Affects: fedora-all [bug 1886340] Statement: Red Hat Enterprise Linux version 6, 7 and 8 ship a vulnerable version of JQuery in the `pcs` component. However the vulnerable has not been found to be exploitable in reasonable scenarios. A future update may update JQuery to a fixed version. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4142 https://access.redhat.com/errata/RHSA-2021:4142 |