Bug 1937445 (CVE-2020-13959)
Summary: | CVE-2020-13959 velocity: XSS in the default error page for VelocityView | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, aileenc, akoufoud, akurtako, alazarot, almorale, andjrobins, anstephe, aos-bugs, asoldano, atangrin, ataylor, bbaranow, bibryam, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dbhole, devrim, dkreling, dosoudil, drieden, ebaron, eclipse-sig, eleandro, eparis, etirelli, fjuma, ganandan, ggaughan, gmalinko, gvarsami, hbraun, ibek, iweiss, janstey, java-maint, java-maint-sig, java-sig-commits, jburrell, jcantril, jcoleman, jerboaa, jjohnstn, jochrist, jokerman, jolee, jperkins, jross, jschatte, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, loleary, mizdebsk, mnovotny, msochure, msvehla, nstielau, nwallace, pantinor, pjindal, pmackay, rgrunber, rguimara, rhcs-maint, rrajasek, rstancel, rsvoboda, rsynek, rwagner, sdaley, sd-operator-metering, smaestri, sochotni, spinder, sponnaga, tcunning, tflannag, theute, tkirby, tom.jenkinson, yborgess |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | velocity-tools 3.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-04-13 12:38:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1937446, 1937447 | ||
Bug Blocks: | 1937449 |
Description
Guilherme de Almeida Suckevicz
2021-03-10 16:46:38 UTC
Created eclipse tracking bugs for this issue: Affects: fedora-all [bug 1937446] Created velocity tracking bugs for this issue: Affects: fedora-all [bug 1937447] Upstream fix https://github.com/apache/velocity-tools/commit/e141828a4eb03e4b0224535eed12b5c463a24152 (i believe) Both hive-container and logging-elasticsearch6-container don't have any references to velocity-tools. I also checked the included velocity.jar and it doesn't include the affected classes. I think the only product here to be affected will be fuse based on our manifests? Flaw summary: Apache velocity-tools' VelocityView, has an error page which appears when a user attempts to access a non-existent file on the server. It reflects the filename of the page requested on the error page without first sanitizing the text. This could allow a malicious actor to execute JavaScript on the page in a reflected cross-site scripting attack. The (one liner) patch applied upstream in velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java uses the StringEscapeUtils.escapeHtml4() method to first sanitize the input and prevent such an attack. Statement: velocity as shipped in Red Hat Enterprise Linux 6, 7, and 8, as well as CodeReady Studio 12, is not affected by this flaw as the affected velocity-tools code is not present in shipped products. This includes those shipped in javapackages-tools and pki-deps as well. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13959 |