Bug 1937445 (CVE-2020-13959)

Summary: CVE-2020-13959 velocity: XSS in the default error page for VelocityView
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, akurtako, alazarot, almorale, andjrobins, anstephe, aos-bugs, asoldano, atangrin, ataylor, bbaranow, bibryam, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dbhole, devrim, dkreling, dosoudil, drieden, ebaron, eclipse-sig, eleandro, eparis, etirelli, fjuma, ganandan, ggaughan, gmalinko, gvarsami, hbraun, ibek, iweiss, janstey, java-maint, java-maint-sig, java-sig-commits, jburrell, jcantril, jcoleman, jerboaa, jjohnstn, jochrist, jokerman, jolee, jperkins, jross, jschatte, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, loleary, mizdebsk, mnovotny, msochure, msvehla, nstielau, nwallace, pantinor, pjindal, pmackay, rgrunber, rguimara, rhcs-maint, rrajasek, rstancel, rsvoboda, rsynek, rwagner, sdaley, sd-operator-metering, smaestri, sochotni, spinder, sponnaga, tcunning, tflannag, theute, tkirby, tom.jenkinson, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: velocity-tools 3.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-13 12:38:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1937446, 1937447    
Bug Blocks: 1937449    

Description Guilherme de Almeida Suckevicz 2021-03-10 16:46:38 UTC
The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

References:
https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E
http://www.openwall.com/lists/oss-security/2021/03/10/2

Comment 1 Guilherme de Almeida Suckevicz 2021-03-10 16:47:18 UTC
Created eclipse tracking bugs for this issue:

Affects: fedora-all [bug 1937446]


Created velocity tracking bugs for this issue:

Affects: fedora-all [bug 1937447]

Comment 4 Mark Cooper 2021-03-11 05:00:27 UTC
Both hive-container and logging-elasticsearch6-container don't have any references to velocity-tools. I also checked the included velocity.jar and it doesn't include the affected classes. 

I think the only product here to be affected will be fuse based on our manifests?

Comment 7 Todd Cullum 2021-03-16 21:51:51 UTC
Flaw summary:

Apache velocity-tools' VelocityView, has an error page which appears when a user attempts to access a non-existent file on the server. It reflects the filename of the page requested on the error page without first sanitizing the text. This could allow a malicious actor to execute JavaScript on the page in a reflected cross-site scripting attack. The (one liner) patch applied upstream in velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java uses the StringEscapeUtils.escapeHtml4() method to first sanitize the input and prevent such an attack.

Comment 8 Todd Cullum 2021-03-16 22:23:04 UTC
Statement:

velocity as shipped in Red Hat Enterprise Linux 6, 7, and 8, as well as CodeReady Studio 12, is not affected by this flaw as the affected velocity-tools code is not present in shipped products. This includes those shipped in javapackages-tools and pki-deps as well.

Comment 11 Product Security DevOps Team 2021-04-13 12:38:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13959