Bug 1901662 (CVE-2020-26237)

Summary: CVE-2020-26237 nodejs-highlight-js: prototype pollution via a crafted HTML code block
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, extras-orphan, jcantril, mcooper, nodejs-sig, periklis, tchollingsworth, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: highlight.js 9.18.2, highlight.js 10.1.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-highlight-js. Highlight.js is vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 14:08:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1901663, 1901664    
Bug Blocks: 1901666    

Description Guilherme de Almeida Suckevicz 2020-11-25 18:36:00 UTC 
Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.

Reference:
https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx

Upstream patches:
https://github.com/highlightjs/highlight.js/pull/2636
https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0
Comment 1 Guilherme de Almeida Suckevicz 2020-11-25 18:36:22 UTC 
Created nodejs-highlight-js tracking bugs for this issue:

Affects: epel-all [bug 1901664]
Affects: fedora-all [bug 1901663]
Comment 2 Mark Cooper 2020-11-26 00:00:20 UTC 
External References:

https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx
Comment 4 Stoyan Nikolov 2020-12-18 11:06:36 UTC 
Statement:

In Red Hat Virtualization, ovirt-engine-api-explorer uses a vulnerable version of highlight.js, however since release 4.4.3 ovirt-engine-api-explorer is obsoleted and no longer used.
Comment 6 errata-xmlrpc 2021-10-19 12:10:24 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
Comment 7 Product Security DevOps Team 2021-10-19 14:08:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26237