Bug 1935978 (CVE-2020-28502)
Summary: | CVE-2020-28502 nodejs-xmlhttprequest: Code injection through user input to xhr.send | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | amctagga, anharris, anpicker, aos-bugs, bdettelb, bmontgom, bniver, eparis, erooth, extras-orphan, flucifre, gghezzo, gmeno, gparvin, hvyas, jburrell, jokerman, jramanat, jweiser, jwendell, lcosic, mbenjamin, mhackett, nstielau, rcernich, sd-operator-metering, sostapov, sponnaga, stcannon, surbania, tflannag, thee, tomckay, twalsh, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | xmlhttprequest 1.7.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
An arbitrary code injection vulnerability was found in nodejs-xmlhttprequest. For this vulnerability to occur, the connection must be initialized during the function call XMLHttpRequest.open to send requests synchronously using the parameter `async=False`. If the subsequent calls to xhr.send functions are with user-controllable input, this flaw allows an attacker to execute arbitrary code. If the xhr.send function is called on the server on behalf of a user, this allows execution on the Node.js server using the privileges of the Node.js process. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-28 01:13:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1935979, 1935980 | ||
Bug Blocks: | 1935981 |
Description
Pedro Sampaio
2021-03-05 20:39:12 UTC
Created nodejs-xmlhttprequest tracking bugs for this issue: Affects: fedora-all [bug 1935979] Created nodejs-xmlhttprequest-ssl tracking bugs for this issue: Affects: fedora-32 [bug 1935980] upstream fix: https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6 XMLHTTPRequest is included in Red Hat Quay as a dependency of engine.io-client, which is a development dependency and only used at build time. External References: https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938 OpenShift Container Platform (OCP) grafana-container for 4.5 still has references to xmlhttprequest, as it is version grafana v6.5.3. However it's xmlhttprequest v1.8.0 and is not affected. For OpenShift ServiceMesh (OSSM) it's using grafana v6.4.3 and that is a vulnerable version of xmlhttprequest. However the only reference to it in the code is from d3-request which using it to push to jsDelivr: https://github.com/d3/d3-request/blob/62551679e4f8a0cbce222174db8dcbcf3b0fd437/package.json#L20 Also checked the delivered container itself for markers from the xmlhttprequest source and couldn't find anything. Hence it's been marked as not affected. Statement: While the OpenShift ServiceMesh (OSSM) grafana-container source does have a vulnerable version of the nodejs-xmlhttprequest, it does not bundle or use the library in the released product. Therefore, the container has been marked `not affected`. For the OpenShift Container Platform (OCP), the grafana-container for OCP 4.5 is already using a non-affected version of xmlhttprequest (v1.8.0). Later versions of the container (4.6+) don't include xmlhttprequest. For Red Hat Advanced Cluster Management for Kubernetes (RHACM), the different components using xmlhttprequest is already using a non-affected version (v1.8.0). Therefore, all supported RHACM versions have been marked `not affected`. For Red Hat Ceph Storage (RHCS) 3 and 4 the grafana-container is already using a non-affected version of xmlhttprequest (v1.8.0). |