Bug 1950479 (CVE-2021-3529)

Summary: CVE-2021-3529 noobaa-core: Cross-site scripting vulnerability with noobaa management URL
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hvyas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: noobaa 5.7.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in noobaa-core. This flaw results in the name of an arbitrary URL copied into an HTML document as plain text between tags, including a potential payload script. The input is echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is to confidentiality, integrity, as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1943388    
Bug Blocks: 1950483, 1955816    

Description Pedro Sampaio 2021-04-16 17:35:28 UTC
The name of an arbitrarily supplied URL parameter is copied into the HTML document as plain text between tags on openshift-container-storage-4 with Noobaa. This results in an XSS attack, as this URL can include a payload script. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1943388