Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option. Upstream issue: https://github.com/jquery/jquery/issues/2432 Upstream patch: https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614 References: https://nodesecurity.io/advisories/328
Created js-jquery tracking bugs for this issue: Affects: fedora-all [bug 1591855] Created js-jquery1 tracking bugs for this issue: Affects: fedora-all [bug 1591859] Created js-jquery2 tracking bugs for this issue: Affects: fedora-all [bug 1591857] Created python-XStatic-jQuery tracking bugs for this issue: Affects: epel-7 [bug 1591863] Affects: fedora-all [bug 1591858] Created python-tw2-jquery tracking bugs for this issue: Affects: epel-all [bug 1591860] Affects: fedora-all [bug 1591856] Created rubygem-jquery-rails tracking bugs for this issue: Affects: fedora-all [bug 1591862]
This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-16012
Satellite 5.8 is currently in Maintenance Support 2 phase that means we're addressing only Critical and selected Important Impact Security Advisories. Reference -- https://access.redhat.com/support/policy/updates/satellite