Bug 1932323 (CVE-2021-26540)

Summary: CVE-2021-26540 sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alegrand, anpicker, aos-bugs, bmontgom, eparis, erooth, jburrell, jhadvig, jokerman, jwendell, kakkoyun, kaycoth, kconner, lcosic, nstielau, pkrupa, rcernich, sponnaga, surbania, twalsh, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sanitize-html 2.3.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-28 01:06:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1934324, 1934325, 1934329, 1934613, 1934614, 1934615, 1934616, 1934618, 1934619, 1934620, 1934621, 1934622    
Bug Blocks: 1927304    

Description Guilherme de Almeida Suckevicz 2021-02-24 13:33:53 UTC 
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".

Reference:
https://github.com/apostrophecms/sanitize-html/pull/460
Comment 5 errata-xmlrpc 2021-07-27 22:31:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 6 Product Security DevOps Team 2021-07-28 01:06:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-26540
Comment 7 errata-xmlrpc 2021-10-18 17:28:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759