Bug 2257732 (CVE-2021-23445)

Summary: CVE-2021-23445 datatables.net: contents of array not escaped by HTML escape entities function
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, asoldano, aturgema, bbaranow, bbuckingham, bcourt, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dhanak, dkreling, dosoudil, ehelms, fjuma, gmalinko, ibek, ivassile, iweiss, janstey, jrokos, jsherril, kverlaen, lgao, lzap, mhulan, michal.skrivanek, mnovotny, mosmerov, mperina, msochure, mstefank, msvehla, nmoumoul, nwallace, orabin, pcreech, pdelbell, pjindal, pmackay, rchan, rguimara, rstancel, smaestri, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: datatables.net 1.11.3 Doc Type: If docs needed, set a value
Doc Text:
An improper neutralization of input vulnerability was found in datatables.net. If an array is passed to the HTML escape entities function, it does not have its contents escaped, possibly leading to cross site scripting (XSS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2257736    
Bug Blocks: 2257734    

Description ybuenos 2024-01-10 16:17:39 UTC 
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.

https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1540544
https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1715376
https://cdn.datatables.net/1.11.3/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1715371
https://lists.debian.org/debian-lts-announce/2023/08/msg00018.html
Comment 2 errata-xmlrpc 2024-06-03 16:58:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2024:3559 https://access.redhat.com/errata/RHSA-2024:3559
Comment 3 errata-xmlrpc 2024-06-03 16:59:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:3561 https://access.redhat.com/errata/RHSA-2024:3561
Comment 4 errata-xmlrpc 2024-06-03 17:00:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2024:3560 https://access.redhat.com/errata/RHSA-2024:3560
Comment 5 errata-xmlrpc 2024-06-03 17:10:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:3563 https://access.redhat.com/errata/RHSA-2024:3563