Bug 2326998 (CVE-2023-44270)

Summary: CVE-2023-44270 PostCSS: Improper input validation in PostCSS
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, aazores, abarbaro, adudiak, adupliak, akostadi, alcohan, amasferr, amctagga, anjoseph, anpicker, aprice, asoldano, bbaranow, bdettelb, bkabrda, bmaxwell, boliveir, brian.stansberry, brking, caswilli, cbartlet, cdaley, cdewolf, chazlett, chfoley, cmah, cmiranda, danken, darran.lofthouse, dfreiber, dhanak, dkreling, dkuc, dmayorov, doconnor, dosoudil, drichtar, drow, dymurray, eaguilar, ebaron, ecerquei, ehelms, eric.wittmann, fdeutsch, fjansen, fjuma, ggainey, gkamathe, gmalinko, gotiwari, gparvin, gtanzill, haoli, hasun, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jburrell, jcammara, jcantril, jchui, jforrest, jfula, jhe, jkoehler, jkoops, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jowilson, jprabhak, jrokos, jsamir, jscholz, juwatts, jwendell, jweng, jwong, kaycoth, kegrant, koliveir, kshier, ktsao, kverlaen, lball, lchilton, lgao, lphiri, mabashia, mhulan, mkudlej, mmakovy, mnovotny, mosmerov, mpierce, msochure, msvehla, mvyas, nboldt, ngough, nipatil, njean, nmoumoul, nwallace, nyancey, omaciel, ometelka, oramraz, owatkins, pahickey, pantinor, parichar, pbraun, pcongius, pcreech, pdelbell, pdrozd, peholase, pesilva, pgaikwad, phoracek, pjindal, pmackay, pskopek, psrna, ptisnovs, rcernich, rchan, rguimara, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rowaters, rstancel, rstepani, saroy, sdawley, sfeifer, sfroberg, shvarugh, simaishi, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, stcannon, sthorger, stirabos, swoodman, syedriko, tasato, teagle, tfister, thason, thavo, tjochec, tom.jenkinson, twalsh, veshanka, vkumar, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in the PostCSS package where it fails to properly validate the input CSS, causing commented lines to be interpreted as code. An attacker may leverage that by crafting a CSS file with comments containing CSS code in order to force PostCSS to include the malicious CSS elements in its output. An successful attack may lead to integrity impact as it may inject elements in a web page when parsing untrusted CSS input.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2327062, 2327063, 2327064, 2327068, 2327047, 2327049, 2327050, 2327051, 2327052, 2327053, 2327054, 2327055, 2327056, 2327057, 2327058, 2327059, 2327060, 2327061, 2327065, 2327066, 2327067, 2327069, 2328666, 2328677, 2328678, 2328679, 2328680, 2328681, 2328682, 2328683, 2328684    
Bug Blocks:    

Description OSIDB Bzimport 2024-11-18 14:12:29 UTC 
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Comment 6 errata-xmlrpc 2024-12-03 08:24:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:10517 https://access.redhat.com/errata/RHSA-2024:10517
Comment 7 errata-xmlrpc 2024-12-10 08:27:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2024:10908 https://access.redhat.com/errata/RHSA-2024:10908
Comment 10 errata-xmlrpc 2025-01-28 04:29:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0654 https://access.redhat.com/errata/RHSA-2025:0654
Comment 11 errata-xmlrpc 2025-02-03 13:09:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2025:0892 https://access.redhat.com/errata/RHSA-2025:0892
Comment 12 errata-xmlrpc 2025-02-25 07:50:23 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2025:1824 https://access.redhat.com/errata/RHSA-2025:1824
Comment 13 errata-xmlrpc 2025-02-25 09:15:41 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:1829 https://access.redhat.com/errata/RHSA-2025:1829
Comment 16 errata-xmlrpc 2025-02-26 00:59:36 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:1865 https://access.redhat.com/errata/RHSA-2025:1865
Comment 17 errata-xmlrpc 2025-02-26 02:32:55 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:1866 https://access.redhat.com/errata/RHSA-2025:1866
Comment 19 errata-xmlrpc 2025-03-11 09:16:26 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:2652 https://access.redhat.com/errata/RHSA-2025:2652
Comment 22 errata-xmlrpc 2025-03-20 08:38:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.14

Via RHSA-2025:3069 https://access.redhat.com/errata/RHSA-2025:3069