Bug 2094052 (CVE-2021-4231)

Summary: CVE-2021-4231 angular: XSS vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, amurdaca, andrew.slice, aoconnor, asm, bniver, bodavis, chazlett, danmick, david, dbhole, deparker, dwd, eclipseo, eduardo.ramalho, epel-packagers-sig, fedora, flucifre, fmuellner, fzatlouk, gecko-bugs-nobody, gmalinko, gmeno, go-sig, i, janstey, jcajka, jhorak, jochrist, josef, jwon, kai-engert-fedora, klaas, lemenkov, loic, mbenjamin, mhackett, muagarwa, ngompa13, omajid, pdelbell, pjasicek, ramkrsna, rhughes, rstrode, sandmann, sostapov, steve, stransky, thofmann, tpopela, trpost, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the angular/core package. Affected versions of this package are vulnerable to Cross-site scripting (XSS) in development, with Server-side rendering (SSR enabled).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2098286, 2109316, 2109317, 2109375, 2109376, 2109377, 2109378, 2109379, 2109380, 2109381, 2109382, 2109383, 2109384, 2109385, 2109681    
Bug Blocks: 2094048    

Description Guilherme de Almeida Suckevicz 2022-06-06 17:16:24 UTC 
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component.

References:
https://vuldb.com/?id.181356
https://github.com/angular/angular/issues/40136
https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902
https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09
Comment 18 errata-xmlrpc 2023-06-15 09:15:28 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3623 https://access.redhat.com/errata/RHSA-2023:3623