Bug 2056643 (CVE-2022-23647)
Summary: | CVE-2022-23647 prismjs: improperly escaped output allows a XSS | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | agerstmayr, ahanwate, aileenc, amackenz, amasferr, amctagga, anharris, anpicker, aoconnor, bcoca, bmontgom, bniver, chazlett, cmeyers, davidn, drieden, eparis, eric.wittmann, flucifre, gblomqui, gmeno, go-sig, grafana-maint, hbraun, janstey, jburrell, jcammara, jhardy, jnethert, jobarker, jochrist, jokerman, jross, jschatte, jwendell, jwon, lmohanty, mabashia, madam, mbenjamin, mgoodwin, mhackett, mkudlej, nathans, notting, nstielau, osapryki, oskutka, ovanders, pantinor, pjindal, pvalena, rareddy, rcernich, relrod, rgodfrey, rpetrell, ruby-packagers-sig, saroy, sdoran, smcdonal, sostapov, spasquie, sponnaga, strzibny, thrcka, tjochec, tkuratom, twalsh, vereddy, vondruch, zebob.m |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | prismjs 1.27.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A Cross-site scripting attack was found in Prism. The command-line plugin did not properly escape its output. This issue leads to the input text being inserted into the Document Object Model (DOM) as HTML code, which can be exploited by an attacker.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-12-07 11:33:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2065431, 2065432, 2077092, 2077093, 2077094, 2077095, 2077097, 2077098, 2077099, 2077101, 2077102, 2077103, 2077104, 2077105, 2077106, 2077107, 2077108, 2077109, 2077110, 2077111, 2077112, 2077113, 2077114, 2077115, 2077116, 2077117, 2077118 | ||
Bug Blocks: | 2064238 |
Description
Marian Rehak
2022-02-21 17:10:53 UTC
Affects prism versions after v1.14.0. Could you please elaborate, how the CC list was compiled? I can't see myself anyhow related to this issue. I think that bit of clarity would help. In reply to comment #7: > Could you please elaborate, how the CC list was compiled? I can't see myself > anyhow related to this issue. I think that bit of clarity would help. Hi Vit, Usually, it's compiled with input from the ENG contact when we're onboarding a product, the cc list is defined in product definitions. Thanks. (In reply to Sandipan Roy from comment #9) > In reply to comment #7: > > Could you please elaborate, how the CC list was compiled? I can't see myself > > anyhow related to this issue. I think that bit of clarity would help. > > Hi Vit, > > Usually, it's compiled with input from the ENG contact when we're onboarding > a product, the cc list is defined in product definitions. > > Thanks. Thanks, unfortunately that does not help me to understand how I got on the list and if I should pay some attention. So I still wonder how I got on the list? Created golang-ariga-atlas tracking bugs for this issue: Affects: fedora-34 [bug 2077093] Affects: fedora-35 [bug 2077101] Affects: fedora-all [bug 2077113] Created golang-github-hashicorp-consul-api tracking bugs for this issue: Affects: fedora-34 [bug 2077094] Affects: fedora-35 [bug 2077102] Affects: fedora-all [bug 2077114] Created golang-github-hashicorp-consul-sdk tracking bugs for this issue: Affects: fedora-34 [bug 2077095] Affects: fedora-35 [bug 2077103] Affects: fedora-all [bug 2077115] Created grafana tracking bugs for this issue: Affects: fedora-34 [bug 2077097] Affects: fedora-35 [bug 2077104] Affects: fedora-all [bug 2077116] Created python-drf-yasg tracking bugs for this issue: Affects: epel-8 [bug 2077092] Affects: epel-all [bug 2077112] Affects: fedora-34 [bug 2077098] Affects: fedora-35 [bug 2077106] Affects: fedora-all [bug 2077117] Created vagrant tracking bugs for this issue: Affects: fedora-34 [bug 2077099] Affects: fedora-35 [bug 2077109] Affects: fedora-all [bug 2077118] (In reply to Vít Ondruch from comment #10) > (In reply to Sandipan Roy from comment #9) > > In reply to comment #7: > > > Could you please elaborate, how the CC list was compiled? I can't see myself > > > anyhow related to this issue. I think that bit of clarity would help. > > > > Hi Vit, > > > > Usually, it's compiled with input from the ENG contact when we're onboarding > > a product, the cc list is defined in product definitions. > > > > Thanks. > > Thanks, unfortunately that does not help me to understand how I got on the > list and if I should pay some attention. So I still wonder how I got on the > list? Ok, since there were ~month later reported Vagrant trackers, it is obvious where does this comes from now. Nevertheless, it seems that the prism.js is mentioned just in source tarball in package-lock.json. I don't think it is even included in the sources and it is definitely not included in the resulting RPMs, so I don't think this is right approach. So is there chance to reconsider this? Who to talk to about this? (In reply to Vít Ondruch from comment #17) > Ok, since there were ~month later reported Vagrant trackers, it is obvious > where does this comes from now. Nevertheless, it seems that the prism.js is > mentioned just in source tarball in package-lock.json. I don't think it is > even included in the sources and it is definitely not included in the > resulting RPMs, so I don't think this is right approach. So is there chance > to reconsider this? Who to talk to about this? BTW there are also other trackers such as CVE-2022-29078 and CVE-2021-23566, so I'd like to stop this. (In reply to Vít Ondruch from comment #18) > (In reply to Vít Ondruch from comment #17) > > Ok, since there were ~month later reported Vagrant trackers, it is obvious > > where does this comes from now. Nevertheless, it seems that the prism.js is > > mentioned just in source tarball in package-lock.json. I don't think it is > > even included in the sources and it is definitely not included in the > > resulting RPMs, so I don't think this is right approach. So is there chance > > to reconsider this? Who to talk to about this? > > BTW there are also other trackers such as CVE-2022-29078 and CVE-2021-23566, > so I'd like to stop this. And CVE-2022-1365, where it is again not clear. (In reply to Sandipan Roy from comment #20) > In reply to comment #17: > > Ok, since there were ~month later reported Vagrant trackers, it is obvious > > where does this comes from now. Nevertheless, it seems that the prism.js is > > mentioned just in source tarball in package-lock.json. I don't think it is > > even included in the sources and it is definitely not included in the > > resulting RPMs, so I don't think this is right approach. So is there chance > > to reconsider this? Who to talk to about this? > > I do not understand what specific Product or specific Product Component You > are talking about. Fedora > And if you think that prism.js is only a build dependency or does not affect > our product then you or engineering team can close the bug as WONTFIX. prism.js is not even build dependency. It is not included in the sources nor in build output. It is just mentioned in package-lock.json. But the problem is that somebody scans the package-lock.json and all the JS libraries mentioned there are treated as if the Vagrant was vulnerable. That is one think, but also: 1) If the Vagrant Fedora trackers were reported immediately, it would be obvious where this comes from. This is not the case. 2) The problem is the scale, I have just mentioned above 4 CVEs reported against Vagrant and I don't want to close each as WONTFIX. 3) The amount of emails I receive due to these trackers is unbelievable. Just for this specific CVE, I have received 38 email notifications so far. 20 emails for CVE-2022-29078, 47 emails about CVE-2021-23566 and 9 emails for CVE-2022-1365, where the Fedora Vagrant trackers were not created yet, so I might just wonder why I am on CC. So far, it is 114 emails I should have never received, so the WONTFIX is not solution. This is just great loss of time I'd like to avoid. This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835 This issue has been addressed in the following products: Red Hat Data Grid 8.4.0 Via RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-23647 |