Bug 1656438 - Update Bootstrap to 3.4.0
Summary: Update Bootstrap to 3.4.0
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.z
Assignee: Robb Hamilton
QA Contact: Yadan Pei
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-05 14:05 UTC by Bruno Andrade
Modified: 2022-03-13 16:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Bootstrap v3.3.5 contains a Cross-Site Scripting (XSS) vulnerability. Consequence: None as the management console does not allow user-input to be displayed via a data-target attribute. Fix: Upgrade Bootstrap to v3.4.0, which fixes the vulnerability. Result: The management console is not longer at risk of possible exploit via the Cross-Site Scripting (XSS) vulnerability in Bootstrap v3.3.5.
Clone Of:
Last Closed: 2019-01-30 15:19:31 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0096 0 None None None 2019-01-30 15:19:36 UTC

Description Bruno Andrade 2018-12-05 14:05:11 UTC
Description of problem:

One finding we had is that the current version of Bootstrap is v3.3.5 which is known to have some exploits.

Is there a way to use the latest Bootstrap v.4.x instead?

Version-Release number of selected component (if applicable):

Comment 1 Samuel Padgett 2019-01-07 15:06:35 UTC
Here is the related CVE for Bootstrap 3.3.x:


Our evaluation is that this is NOT exploitable in OpenShift console as we do not put unknown content into a `data-target` attribute. Regardless, we plan to update to Bootstrap to 3.4.0 in OpenShift 3.11.z, which has a fix for the CVE in Bootstrap:


Comment 2 Robb Hamilton 2019-01-07 16:20:24 UTC
PR to resolve: https://github.com/openshift/origin-web-console/pull/3105

Comment 4 Yanping Zhang 2019-01-15 03:07:06 UTC
OpenShift Master:
Kubernetes Master:
OpenShift Web Console:

Tested on ocp 3.11 env with above version, checked in <server>/console/styles/main.css, it indicates bootstrap with version v3.4.0 now.

 * Bootstrap v3.4.0 (https://getbootstrap.com/)
 * Copyright 2011-2018 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)

I think the bug has been fixed, move it to Verified. If there is something wrong, pls point out, thanks!

Comment 6 errata-xmlrpc 2019-01-30 15:19:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.