Bug 1882273 (CVE-2019-20921)

Summary: CVE-2019-20921 nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aos-bugs, bmontgom, boliveir, chazlett, dfediuck, eedri, emarcus, eparis, jburrell, jhadvig, jokerman, kconner, krathod, mgoldboi, michal.skrivanek, nobody, nstielau, pdrozd, pjindal, pskopek, rcernich, sbonazzo, sgratch, sherold, sponnaga, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-bootstrap-select 1.13.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-14 16:46:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1909117, 1909118, 1909124    
Bug Blocks: 1882274    

Description Marian Rehak 2020-09-24 08:38:41 UTC 
Versions of bootstrap-select prior to 1.13.6 are vulnerable to Cross-Site Scripting (XSS). The package does not escape title values on <option> tags. This may allow attackers to execute arbitrary JavaScript in a victim's browser.

References:

https://github.com/advisories/GHSA-9r7h-6639-v5mw
Comment 1 Mark Cooper 2020-09-25 02:14:13 UTC 
Upstream fix: https://github.com/snapappointments/bootstrap-select/commit/9c0dc0dc06258c5993be3e5048b8919377a704ec
Comment 2 Mark Cooper 2020-09-25 02:50:01 UTC 
External References:

https://github.com/advisories/GHSA-9r7h-6639-v5mw
https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
Comment 6 Mark Cooper 2020-10-01 23:09:13 UTC 
Whilst yarn does report that both openshift3/ose-console and openshift4/ose-console containers do have bootstrap-select dependencies, when inspecting the webpack output the bootstrap-select code is not actually bundled (only some of the css stylesheets). Hence both containers are marked not affected.
Comment 8 Mark Cooper 2020-10-01 23:15:46 UTC 
Statement:

In OpenShift Service Mesh (OSSM) the openshift-service-mesh/kiali-rhel7 container (which installs the kiali rpm) is behind OpenShift OAuth authentication restricting access to the vulnerable bootstrap-select library to authenticated users only, therefore the impact is low.
Comment 13 errata-xmlrpc 2021-04-14 11:39:45 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:1169 https://access.redhat.com/errata/RHSA-2021:1169
Comment 14 errata-xmlrpc 2021-04-14 11:43:00 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:1186 https://access.redhat.com/errata/RHSA-2021:1186
Comment 15 Product Security DevOps Team 2021-04-14 16:46:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20921