Bug 1848092 (CVE-2019-16769) - CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions
Summary: CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in seriali...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16769
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1849464 1849465 1850178 1850922 1851815
Blocks: 1848093
TreeView+ depends on / blocked
 
Reported: 2020-06-17 16:41 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-18 05:22 UTC (History)
31 users (show)

Fixed In Version: npm-serialize-javascript 2.1.1
Doc Type: If docs needed, set a value
Doc Text:
A XSS flaw was found in npm-serialize-javascript. It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Clone Of:
Environment:
Last Closed: 2020-07-01 19:28:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2796 0 None None None 2020-07-01 18:46:12 UTC
Red Hat Product Errata RHSA-2020:4298 0 None None None 2020-10-27 16:24:15 UTC

Description Guilherme de Almeida Suckevicz 2020-06-17 16:41:06 UTC 
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Reference:
https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx
Comment 1 Mark Cooper 2020-06-18 07:57:09 UTC 
Statement:

In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable serialize-javascript library to authenticated users only, therefore the impact is low.
Comment 6 Mark Cooper 2020-06-22 01:27:21 UTC 
OpenShift (OCP) 4.x includes a vulnerable version of serialize-javascript (v1.7.0) in containers openshift4/ose-grafana and openshift4/ose-prometheus.

OpenShift ServiceMesh (OSSM) 1.1.x only, includes a vulnerable version (v1.7.0) in the openshift-service-mesh/grafana-rhel8 container.
Comment 9 Jason Shepherd 2020-06-23 22:58:32 UTC 
Upstream patch:
https://github.com/yahoo/serialize-javascript/commit/16a68ab53d9626fc7c942b48a1163108fcd184c8
Comment 14 errata-xmlrpc 2020-07-01 18:46:09 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
Comment 15 Product Security DevOps Team 2020-07-01 19:28:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16769
Comment 16 errata-xmlrpc 2020-10-27 16:24:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
Note You need to log in before you can comment on or make changes to this bug.