Description of problem: A security scan reports that web console in 3.11 contains a vendor.js bundle with jQuery 3.2.1, vulnerable to CVE-2019-11358. Additional info: - https://nvd.nist.gov/vuln/detail/CVE-2019-11358 - Some projects were updated on 2019 to fix this CVE, but OpenShift wasn't one of them: https://access.redhat.com/security/cve/CVE-2019-11358
Get the version of jquery in console dev tools: $().jquery "3.4.0" Or jQuery().jquery "3.4.0" from https://access.redhat.com/security/cve/CVE-2019-11358, the jquery vulnerable should be fixed in 3.4.0 verified on: OpenShift Master: v3.11.169 Kubernetes Master: v1.11.0+d4cacc0 OpenShift Web Console: v3.11.169
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0402
In future, please contact Product Security <secalert> before filing bugs or working on fixes for CVEs. In this case, this fix was released to customers without Product Security's involvement which means that it was undocumented. There was no RHSA, no published scanning data, no CVE page entry. Undocumented security fixes are a High level exception under ProdSec policy: https://docs.engineering.redhat.com/pages/viewpage.action?pageId=74060126 I have linked the RHBA with this CVE as a bandaid solution, but we can't convert RHBAs to RHSAs after they have released. For OpenShift, this document has info for working on CVE fixes: https://mojo.redhat.com/docs/DOC-1194006 A possible reason why there wasn't earlier OpenShift bugs for this CVE is likely that the OpenShift web console does not provide a manifest of its vendored JS dependencies to Product Security. Maintainers can provide manifests by following this doc: https://mojo.redhat.com/docs/DOC-1195158