Bug 1850004 (CVE-2020-11023) - CVE-2020-11023 jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods
Summary: CVE-2020-11023 jquery: Untrusted code execution via <option> tag in HTML pass...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11023
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1850011 1828636 1850006 1850007 1850008 1850009 1850010 1850012 1850013 1850014 1850015 1850016 1850017 1850018 1850019 1850020 1850021 1850022 1850023 1850982 1851251 1851252 1851253 1851295 1851296 1852327 1852328 1852329 1852330 1852400 1852401 1852402 1852403 1859248 1859249 1859250 1859251 1859253 1859254 1859255 1859291 1859292 1859293 1882291 1882292 1882296 1882717 1888387 1889869 1910645 1936810
Blocks: 1850024 2014197
TreeView+ depends on / blocked
 
Reported: 2020-06-23 12:03 UTC by Michael Kaplan
Modified: 2024-03-14 01:52 UTC (History)
151 users (show)

Fixed In Version: jQuery 3.5.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2021-03-04 13:02:09 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2412 0 None None None 2020-07-13 17:23:31 UTC
Red Hat Product Errata RHSA-2020:2813 0 None None None 2020-07-02 13:22:01 UTC
Red Hat Product Errata RHSA-2020:3247 0 None None None 2020-08-04 13:16:10 UTC
Red Hat Product Errata RHSA-2020:3369 0 None None None 2020-08-06 20:17:51 UTC
Red Hat Product Errata RHSA-2020:3807 0 None None None 2020-09-23 16:10:56 UTC
Red Hat Product Errata RHSA-2020:4211 0 None None None 2020-10-08 07:00:05 UTC
Red Hat Product Errata RHSA-2020:4298 0 None None None 2020-10-27 16:24:35 UTC
Red Hat Product Errata RHSA-2020:4847 0 None None None 2020-11-04 03:15:02 UTC
Red Hat Product Errata RHSA-2020:5249 0 None None None 2020-11-30 14:12:48 UTC
Red Hat Product Errata RHSA-2020:5412 0 None None None 2020-12-15 18:34:48 UTC
Red Hat Product Errata RHSA-2021:0778 0 None None None 2021-03-09 15:52:21 UTC
Red Hat Product Errata RHSA-2021:0860 0 None None None 2021-03-16 13:54:19 UTC
Red Hat Product Errata RHSA-2021:4142 0 None None None 2021-11-09 17:24:09 UTC
Red Hat Product Errata RHSA-2022:6393 0 None None None 2022-09-08 11:28:33 UTC
Red Hat Product Errata RHSA-2023:0552 0 None None None 2023-01-31 13:14:43 UTC
Red Hat Product Errata RHSA-2023:0553 0 None None None 2023-01-31 13:10:42 UTC
Red Hat Product Errata RHSA-2023:0554 0 None None None 2023-01-31 13:18:24 UTC
Red Hat Product Errata RHSA-2023:0556 0 None None None 2023-01-31 13:19:30 UTC

Description Michael Kaplan 2020-06-23 12:03:01 UTC
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

References:

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
https://jquery.com/upgrade-guide/3.5/
https://security.netapp.com/advisory/ntap-20200511-0006/
https://www.debian.org/security/2020/dsa-4693
https://www.drupal.org/sa-core-2020-002

Comment 1 Michael Kaplan 2020-06-23 12:05:40 UTC
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1850023]
Affects: fedora-all [bug 1850013]


Created js-jquery tracking bugs for this issue:

Affects: epel-7 [bug 1850008]
Affects: fedora-all [bug 1850015]


Created js-jquery1 tracking bugs for this issue:

Affects: epel-7 [bug 1850006]
Affects: fedora-all [bug 1850022]


Created js-jquery2 tracking bugs for this issue:

Affects: fedora-all [bug 1850016]


Created python-XStatic-jQuery tracking bugs for this issue:

Affects: epel-7 [bug 1850007]
Affects: fedora-all [bug 1850018]
Affects: openstack-rdo [bug 1850011]


Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: epel-7 [bug 1850010]
Affects: fedora-all [bug 1850017]
Affects: openstack-rdo [bug 1850012]


Created python-tw-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1850014]


Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1850021]
Affects: epel-7 [bug 1850009]
Affects: fedora-all [bug 1850020]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1850019]

Comment 8 Mark Cooper 2020-06-25 06:43:09 UTC
OpenShift ServiceMesh includes a vulnerable version of jquery (3.4.1) in servicemesh-grafana.

Comment 9 Mark Cooper 2020-06-25 07:00:12 UTC
[edited] Upstream fix: https://github.com/jquery/jquery/commit/966a70909019aa09632c87c0002c522fa4a1e30e

In the advisory from jquery they talk about removing the regex functionality from htmlPrefilter, "The jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through unchanged."

Comment 10 Mark Cooper 2020-06-25 07:06:21 UTC
Further to #comment8 grafana actually do package jquery 3.5.0, included as a patch in the RPM and hence is not affected.

Comment 17 Summer Long 2020-06-26 04:29:47 UTC
External References:

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Comment 20 Hardik Vyas 2020-06-30 10:56:31 UTC
Below storage products includes vulnerable version of jQuery in grafana and grafana-container:

Ceph-3 grafana : jquery-3.3.1
Ceph-3 grafana-container : jquery-3.3.1
Ceph-4 grafana-container : jquery-3.3.1
Gluster grafana : jquery-3.2.1

Comment 24 errata-xmlrpc 2020-07-02 13:21:56 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.1

Via RHSA-2020:2813 https://access.redhat.com/errata/RHSA-2020:2813

Comment 25 Product Security DevOps Team 2020-07-02 13:27:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11023

Comment 26 errata-xmlrpc 2020-07-13 17:23:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412

Comment 30 errata-xmlrpc 2020-08-04 13:16:03 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247

Comment 31 errata-xmlrpc 2020-08-06 20:17:46 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1
  Openshift Service Mesh 1.1

Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369

Comment 34 errata-xmlrpc 2020-09-23 16:10:50 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3807 https://access.redhat.com/errata/RHSA-2020:3807

Comment 38 Cedric Buissart 2020-09-24 09:27:09 UTC
Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 1882296]

Comment 47 errata-xmlrpc 2020-10-08 06:59:57 UTC
This issue has been addressed in the following products:

  A-MQ Interconnect 1.y for RHEL 7
  A-MQ Interconnect 1.y for RHEL 6
  A-MQ Interconnect 1.y for RHEL 8

Via RHSA-2020:4211 https://access.redhat.com/errata/RHSA-2020:4211

Comment 52 errata-xmlrpc 2020-10-27 16:24:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298

Comment 53 errata-xmlrpc 2020-11-04 03:14:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847

Comment 60 errata-xmlrpc 2020-11-30 14:12:44 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.7 for RHEL 7

Via RHSA-2020:5249 https://access.redhat.com/errata/RHSA-2020:5249

Comment 61 errata-xmlrpc 2020-12-15 18:34:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2020:5412 https://access.redhat.com/errata/RHSA-2020:5412

Comment 63 Eric Christensen 2021-01-26 16:09:59 UTC
Statement:

Red Hat Enterprise Linux version 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However the vulnerability has not been found to be exploitable in reasonable scenarios. A future update may update JQuery to a fixed version.

Comment 66 Product Security DevOps Team 2021-03-04 13:02:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11023

Comment 69 errata-xmlrpc 2021-03-09 15:52:16 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.6 for RHEL 7

Via RHSA-2021:0778 https://access.redhat.com/errata/RHSA-2021:0778

Comment 70 errata-xmlrpc 2021-03-16 13:54:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0860 https://access.redhat.com/errata/RHSA-2021:0860

Comment 73 errata-xmlrpc 2021-05-18 15:32:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1846 https://access.redhat.com/errata/RHSA-2021:1846

Comment 75 errata-xmlrpc 2021-11-09 17:24:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4142 https://access.redhat.com/errata/RHSA-2021:4142

Comment 76 errata-xmlrpc 2022-09-08 11:28:27 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:6393 https://access.redhat.com/errata/RHSA-2022:6393

Comment 86 errata-xmlrpc 2023-01-31 13:10:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:0553 https://access.redhat.com/errata/RHSA-2023:0553

Comment 87 errata-xmlrpc 2023-01-31 13:14:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:0552 https://access.redhat.com/errata/RHSA-2023:0552

Comment 88 errata-xmlrpc 2023-01-31 13:18:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:0554 https://access.redhat.com/errata/RHSA-2023:0554

Comment 89 errata-xmlrpc 2023-01-31 13:19:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2023:0556 https://access.redhat.com/errata/RHSA-2023:0556


Note You need to log in before you can comment on or make changes to this bug.