Bug 1721137 (CVE-2019-10180) - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS
Summary: CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in sto...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10180
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1724697 1793076 1798080 1931715
Blocks: 1721139
TreeView+ depends on / blocked
 
Reported: 2019-06-17 12:57 UTC by msiddiqu
Modified: 2023-03-21 13:28 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
Clone Of:
Environment:
Last Closed: 2021-03-23 17:35:17 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0947 0 None None None 2021-03-22 08:08:51 UTC
Red Hat Product Errata RHSA-2021:0948 0 None None None 2021-03-22 09:03:52 UTC

Description msiddiqu 2019-06-17 12:57:19 UTC 
A vulnerability was found in pki-tps web UI, in the table showing tokens.
Several fields including the User ID and the policy are not sanitized and could be set or modified by an attacker, in order to launch a Stored Cross Site Scripting (XSS) attack.
The XSS will be triggered each time the malicious token is shown in the authenticated victim's web browser when navigating to the vulnerable URL.
Comment 1 msiddiqu 2019-06-17 13:18:39 UTC 
Acknowledgments:

Name: Pritam Singh (Red Hat)
Comment 2 Cedric Buissart 2019-06-26 08:23:09 UTC 
Reducing the severity to Low : the attacker needs to be able to modify the token policies in order to store the javascript code. This requires high privileges.
Comment 8 Cedric Buissart 2020-02-04 14:28:38 UTC 
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1798080]
Comment 9 Salvatore Bonaccorso 2020-02-07 06:29:19 UTC 
Do you know if this was reported in the upstream issue tracker and there is a fix?
Comment 10 Cedric Buissart 2020-02-07 14:06:26 UTC 
Upstream is aware. There is currently no fix. I will check for upstream issue tracker.

However, the security consequences are very limited. 
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. 
At the moment, the only concerns are defacing.

If/when there is a fix upstream, it will be posted on this bug tracker.

I hope this helps!
Comment 13 errata-xmlrpc 2021-03-22 08:08:50 UTC 
This issue has been addressed in the following products:

  Red Hat Certificate System 9.7

Via RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0947
Comment 14 errata-xmlrpc 2021-03-22 09:03:50 UTC 
This issue has been addressed in the following products:

  Red Hat Certificate System 9.4 EUS

Via RHSA-2021:0948 https://access.redhat.com/errata/RHSA-2021:0948
Comment 15 Product Security DevOps Team 2021-03-23 17:35:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10180
Comment 16 Salvatore Bonaccorso 2023-03-07 19:31:50 UTC 
Hi

(In reply to Cedric Buissart from comment #10)
> Upstream is aware. There is currently no fix. I will check for upstream
> issue tracker.
> 
> However, the security consequences are very limited. 
> e.g. : Thanks to the webUI using client side TLS authentication, stealing a
> cookie will not be of much use to the attacker. 
> At the moment, the only concerns are defacing.
> 
> If/when there is a fix upstream, it will be posted on this bug tracker.
> 
> I hope this helps!

Do you have a reference for the upstream issue and fix? Noticed that
RHSA were posted for it, so assume it was fixed in meanwhile, do you
know more?

Thanks already!
Comment 17 Cedric Buissart 2023-03-21 13:27:25 UTC 
Hello Salvatore,

Apologies for the delayed answer.

Thanks for pointing this out!

The 3 XSS that affected TPS (CVE-2020-1696, CVE-2019-10180 and CVE-2019-10178) have been fixed via this commit:
https://github.com/dogtagpki/pki/commit/1dbb07f8e41b4809b0f41a7643c37301fcf712d8
Note You need to log in before you can comment on or make changes to this bug.