Bug 1930915 (CVE-2021-20066)
| Summary: | CVE-2021-20066 jsdom: improper loading of local resources | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alegrand, anpicker, bmontgom, eparis, erooth, gghezzo, gparvin, jburrell, jokerman, jramanat, jshaughn, jweiser, jwendell, kakkoyun, kaycoth, kconner, lcosic, nstielau, pkrupa, rcernich, sponnaga, stcannon, surbania, thee, twalsh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in jsdom. JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-03 19:01:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1930916 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-02-19 19:08:44 UTC
External References: https://www.tenable.com/security/research/tra-2021-05 No upstream fix as the upstream maintainers do not agree this is a security issue. From the report, https://www.tenable.com/security/research/tra-2021-05, yes the example works but I suppose it wasn't designed to load local resources? Prob not much of an issue from a client side perspective (maybe some scenarios where maybe some data could be leaked back to the server) but from a server perspective maybe if new JSDOM from source is using un-trusted input then feasible it could load server resources. BUT that is kinda what that function is designed to do, so I do understand where the maintainers are coming from here. From an OCP and OSSM perspective, none of the components are enabling the loading of resources and are only using jsdom in a testing context. Hence they've been marked as Low, and wontfix. Statement:
For an application which includes jsdom to be vulnerable to this CVE, it must at least enable the loading of resources using something similar to: `new JSDOM(html, {resources: "usable"}`, where `html` is un-trusted input. Furthermore, scripts can be executed by extending the options similar to: `new JSDOM(html, {resources: "usable", runScripts: "dangerously"}`. [1]
OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) both include components that package a vulnerable version of `jsdom`. However, none of the components directly enable the loading of resources via `resources: "usable"` and most components only include `jsdom` for use in tests. Hence for OCP and OSSM the affects are rated to have a Low impact and are wontfix at this time and might be fixed in a future release.
[1] https://github.com/jsdom/jsdom#loading-subresources
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20066 |