Bug 2322949 (CVE-2024-48910)

Summary: CVE-2024-48910 dompurify: DOMPurify vulnerable to tampering by prototype pollution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abarbaro, akostadi, alcohan, amasferr, amctagga, anjoseph, brking, cbartlet, cdaley, chazlett, danken, dmayorov, fdeutsch, gkamathe, gparvin, haoli, hkataria, jcammara, jcantril, jchui, jforrest, jhe, jkoehler, jlledo, jmitchel, jneedle, jprabhak, jwendell, kegrant, koliveir, kshier, ktsao, lchilton, lphiri, mabashia, mkudlej, mmakovy, nboldt, njean, nthomas, oramraz, owatkins, pahickey, pbraun, phoracek, psrna, rcernich, rhaigner, rojacob, sdawley, sfeifer, shvarugh, simaishi, skatiyar, smcdonal, smullick, stcannon, stirabos, teagle, tfister, thason, thavo, tjochec, twalsh, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A prototype pollution vulnerability was found in DOMPurify. This flaw allows a remote attacker to add or modify attributes of an object prototype. This issue can lead to the injection of malicious attributes used in other components or cause a crash by overriding existing attributes with ones of incompatible type.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-10-31 15:01:17 UTC 
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
Comment 1 errata-xmlrpc 2024-11-13 18:01:06 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:9583 https://access.redhat.com/errata/RHSA-2024:9583
Comment 2 errata-xmlrpc 2024-11-20 04:18:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:9620 https://access.redhat.com/errata/RHSA-2024:9620
Comment 3 errata-xmlrpc 2024-11-22 01:06:58 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2024:10186 https://access.redhat.com/errata/RHSA-2024:10186
Comment 4 errata-xmlrpc 2025-01-08 10:04:24 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2025:0079 https://access.redhat.com/errata/RHSA-2025:0079
Comment 5 errata-xmlrpc 2025-01-08 11:31:53 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:0082 https://access.redhat.com/errata/RHSA-2025:0082
Comment 7 errata-xmlrpc 2025-01-28 04:29:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0654 https://access.redhat.com/errata/RHSA-2025:0654
Comment 8 errata-xmlrpc 2025-02-05 10:49:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875
Comment 13 errata-xmlrpc 2025-06-04 20:11:22 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544
Comment 14 errata-xmlrpc 2025-06-04 22:59:37 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:8551 https://access.redhat.com/errata/RHSA-2025:8551