Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1591854 - (CVE-2017-16012) CVE-2017-16012 js-jquery: XSS in responses from cross-origin ajax requests
CVE-2017-16012 js-jquery: XSS in responses from cross-origin ajax requests
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170321,repor...
: Security
Depends On: 1399551 1399552 1447005 1447012 CVE-2015-9251 1399547 1399549 1399553 1399554 1399556 1447011 1591855 1591856 1591857 1591858 1591859 1591860 1591861 1591862 1591863 1591864 1591865 1593158 1593159 1593161 1593162 1593163 1593540
Blocks: 1591866
  Show dependency treegraph
 
Reported: 2018-06-15 13:32 EDT by Pedro Sampaio
Modified: 2018-10-19 17:51 EDT (History)
80 users (show)

See Also:
Fixed In Version: js-jquery 3.0.0
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Pedro Sampaio 2018-06-15 13:32:27 EDT 
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.

Upstream issue:

https://github.com/jquery/jquery/issues/2432

Upstream patch:

https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614

References:

https://nodesecurity.io/advisories/328
Comment 1 Pedro Sampaio 2018-06-15 13:33:35 EDT 
Created js-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1591855]


Created js-jquery1 tracking bugs for this issue:

Affects: fedora-all [bug 1591859]


Created js-jquery2 tracking bugs for this issue:

Affects: fedora-all [bug 1591857]


Created python-XStatic-jQuery tracking bugs for this issue:

Affects: epel-7 [bug 1591863]
Affects: fedora-all [bug 1591858]


Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-all [bug 1591860]
Affects: fedora-all [bug 1591856]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1591862]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.