Bug 1850004 (CVE-2020-11023) - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
Summary: CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulat...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11023
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1850006 1850007 1850008 1850009 1850011 1850014 1850015 1850016 1850018 1850019 1850020 1850021 1850022 1850982 1851251 1851252 1851296 1852327 1852330 1852401 1852402 1852403 1859248 1859249 1859255 1882291 1882292 1882296 1889869 1828636 1850010 1850012 1850013 1850017 1850023 1851253 1851295 1852328 1852329 1852400 1859250 1859251 1859253 1859254 1859291 1859292 1859293 1882717 1888387
Blocks: 1850024
TreeView+ depends on / blocked
 
Reported: 2020-06-23 12:03 UTC by Michael Kaplan
Modified: 2020-10-23 12:38 UTC (History)
125 users (show)

Fixed In Version: jQuery 3.5.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jQuery in versions beginning in 1.0.3 through 3.5.0. HTML containing <option> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2020-07-02 13:27:52 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2412 None None None 2020-07-13 17:23:31 UTC
Red Hat Product Errata RHSA-2020:2813 None None None 2020-07-02 13:22:01 UTC
Red Hat Product Errata RHSA-2020:3247 None None None 2020-08-04 13:16:10 UTC
Red Hat Product Errata RHSA-2020:3369 None None None 2020-08-06 20:17:51 UTC
Red Hat Product Errata RHSA-2020:3807 None None None 2020-09-23 16:10:56 UTC
Red Hat Product Errata RHSA-2020:4211 None None None 2020-10-08 07:00:05 UTC

Description Michael Kaplan 2020-06-23 12:03:01 UTC
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

References:

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
https://jquery.com/upgrade-guide/3.5/
https://security.netapp.com/advisory/ntap-20200511-0006/
https://www.debian.org/security/2020/dsa-4693
https://www.drupal.org/sa-core-2020-002

Comment 1 Michael Kaplan 2020-06-23 12:05:40 UTC
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1850023]
Affects: fedora-all [bug 1850013]


Created js-jquery tracking bugs for this issue:

Affects: epel-7 [bug 1850008]
Affects: fedora-all [bug 1850015]


Created js-jquery1 tracking bugs for this issue:

Affects: epel-7 [bug 1850006]
Affects: fedora-all [bug 1850022]


Created js-jquery2 tracking bugs for this issue:

Affects: fedora-all [bug 1850016]


Created python-XStatic-jQuery tracking bugs for this issue:

Affects: epel-7 [bug 1850007]
Affects: fedora-all [bug 1850018]
Affects: openstack-rdo [bug 1850011]


Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: epel-7 [bug 1850010]
Affects: fedora-all [bug 1850017]
Affects: openstack-rdo [bug 1850012]


Created python-tw-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1850014]


Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1850021]
Affects: epel-7 [bug 1850009]
Affects: fedora-all [bug 1850020]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1850019]

Comment 8 Mark Cooper 2020-06-25 06:43:09 UTC
OpenShift ServiceMesh includes a vulnerable version of jquery (3.4.1) in servicemesh-grafana.

Comment 9 Mark Cooper 2020-06-25 07:00:12 UTC
[edited] Upstream fix: https://github.com/jquery/jquery/commit/966a70909019aa09632c87c0002c522fa4a1e30e

In the advisory from jquery they talk about removing the regex functionality from htmlPrefilter, "The jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through unchanged."

Comment 10 Mark Cooper 2020-06-25 07:06:21 UTC
Further to #comment8 grafana actually do package jquery 3.5.0, included as a patch in the RPM and hence is not affected.

Comment 17 Summer Long 2020-06-26 04:29:47 UTC
External References:

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Comment 20 Hardik Vyas 2020-06-30 10:56:31 UTC
Below storage products includes vulnerable version of jQuery in grafana and grafana-container:

Ceph-3 grafana : jquery-3.3.1
Ceph-3 grafana-container : jquery-3.3.1
Ceph-4 grafana-container : jquery-3.3.1
Gluster grafana : jquery-3.2.1

Comment 24 errata-xmlrpc 2020-07-02 13:21:56 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.1

Via RHSA-2020:2813 https://access.redhat.com/errata/RHSA-2020:2813

Comment 25 Product Security DevOps Team 2020-07-02 13:27:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11023

Comment 26 errata-xmlrpc 2020-07-13 17:23:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412

Comment 30 errata-xmlrpc 2020-08-04 13:16:03 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247

Comment 31 errata-xmlrpc 2020-08-06 20:17:46 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1
  Openshift Service Mesh 1.1

Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369

Comment 34 errata-xmlrpc 2020-09-23 16:10:50 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3807 https://access.redhat.com/errata/RHSA-2020:3807

Comment 38 Cedric Buissart 2020-09-24 09:27:09 UTC
Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 1882296]

Comment 47 errata-xmlrpc 2020-10-08 06:59:57 UTC
This issue has been addressed in the following products:

  A-MQ Interconnect 1.y for RHEL 7
  A-MQ Interconnect 1.y for RHEL 6
  A-MQ Interconnect 1.y for RHEL 8

Via RHSA-2020:4211 https://access.redhat.com/errata/RHSA-2020:4211

Comment 48 Cedric Buissart 2020-10-08 08:38:23 UTC
Statement:

Red Hat Enterprise Linux version 6, 7 and 8 ship a vulnerable version of JQuery in the `pcs` component. However the vulnerable has not been found to be exploitable in reasonable scenarios. A future update may update JQuery to a fixed version.


Note You need to log in before you can comment on or make changes to this bug.