Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1591840 - (CVE-2012-6708) CVE-2012-6708 js-jquery: XSS via improper selector detection
CVE-2012-6708 js-jquery: XSS via improper selector detection
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170321,repor...
: Security
Depends On: 1591841 1591842 1591843 1591844 1591845 1591846 1591847 1591849 1610362 1610365 1610366 1610368 1610369 1610370 1591848 1591850 1591851 1610363 1610364 1610367
Blocks: 1591852
  Show dependency treegraph
 
Reported: 2018-06-15 13:14 EDT by Pedro Sampaio
Modified: 2018-09-27 07:13 EDT (History)
77 users (show)

See Also:
Fixed In Version: js-jquery 1.9.0
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Pedro Sampaio 2018-06-15 13:14:55 EDT 
Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors when given certain inputs, allowing for client side code execution.

References:

https://bugs.jquery.com/ticket/11290
https://bugs.jquery.com/ticket/12531
https://bugs.jquery.com/ticket/6429
https://bugs.jquery.com/ticket/9521
https://nodesecurity.io/advisories/329
Comment 1 Pedro Sampaio 2018-06-15 13:16:44 EDT 
Created js-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1591846]


Created js-jquery1 tracking bugs for this issue:

Affects: fedora-all [bug 1591842]


Created js-jquery2 tracking bugs for this issue:

Affects: fedora-all [bug 1591844]


Created python-XStatic-jQuery tracking bugs for this issue:

Affects: epel-7 [bug 1591849]
Affects: fedora-all [bug 1591841]


Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-all [bug 1591845]
Affects: fedora-all [bug 1591843]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1591847]
Comment 3 James Hebden 2018-06-20 04:14:01 EDT 
Marking OpenStack not affected, due to the packaged version being at least 1.10.1 across all releases. Per the advisory, the patch is present in 1.9.0+
Comment 4 Cedric Buissart 2018-07-13 06:53:27 EDT 
Renamed from CVE-2017-16011 to CVE-2012-6708 (see https://nvd.nist.gov/vuln/detail/CVE-2017-16011)
Comment 5 Cedric Buissart 2018-07-13 07:00:04 EDT 
External References:

https://snyk.io/vuln/npm:jquery:20120206
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.