jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed. https://security.netapp.com/advisory/ntap-20200528-0001/ https://snyk.io/vuln/SNYK-JS-JQUERY-569619
Created drupal7 tracking bugs for this issue: Affects: epel-all [bug 1850138] Affects: fedora-all [bug 1850136] Created js-jquery tracking bugs for this issue: Affects: epel-7 [bug 1850123] Affects: fedora-all [bug 1850127] Created js-jquery1 tracking bugs for this issue: Affects: epel-7 [bug 1850134] Affects: fedora-all [bug 1850133] Created js-jquery2 tracking bugs for this issue: Affects: fedora-all [bug 1850126] Created python-XStatic-jQuery tracking bugs for this issue: Affects: epel-7 [bug 1850139] Affects: fedora-all [bug 1850129] Affects: openstack-rdo [bug 1850135] Created python-XStatic-jquery-ui tracking bugs for this issue: Affects: epel-7 [bug 1850121] Affects: fedora-all [bug 1850128] Affects: openstack-rdo [bug 1850125] Created python-tw-jquery tracking bugs for this issue: Affects: epel-6 [bug 1850137] Created python-tw2-jquery tracking bugs for this issue: Affects: epel-6 [bug 1850132] Affects: epel-7 [bug 1850120] Affects: fedora-all [bug 1850131] Created rubygem-jquery-rails tracking bugs for this issue: Affects: fedora-all [bug 1850130]
Upstream Commit: https://github.com/jquery/jquery/commit/a938d7b1282fc0e5c52502c225ae8f0cef219f0a
OpenShift ServiceMesh includes jquery versions not vulnerable to this flaw: - kiali jquery v3.5.0 - servicemesh-grafana jquery v3.5.0
Removing Satellite 5 from affects list since it is EOL.
CloudForms do not use version less than 1.9.0 hence not affected. [ytale@cordelia]# grep -inr "jQuery JavaScript Library v" jquery.js:2: * jQuery JavaScript Library v1.12.4 jquery2.js:2: * jQuery JavaScript Library v2.2.4 jquery3.js:2: * jQuery JavaScript Library v3.4.1
All OpenShift Container Platform components which include jQuery include a version later than 1.9.0 and are therefore unaffected by this flaw.
Non of the storage products include affected version of jQuery, hence not affected by this flaw. Ceph-3 grafana : jquery-3.3.1 Ceph-3 grafana-container : jquery-3.3.1 Ceph-4 grafana-container : jquery-3.3.1 Gluster grafana-4.6.4-1.el7rhgs : jquery-3.2.1
RHEV-M projects use jquery 3.4.1 thus not affected
This issue has been addressed in the following products: A-MQ Interconnect 1.y for RHEL 7 A-MQ Interconnect 1.y for RHEL 6 A-MQ Interconnect 1.y for RHEL 8 Via RHSA-2020:4211 https://access.redhat.com/errata/RHSA-2020:4211
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7656
Created pcs tracking bugs for this issue: Affects: fedora-all [bug 1886340]
Statement: Red Hat Enterprise Linux version 6, 7 and 8 ship a vulnerable version of JQuery in the `pcs` component. However the vulnerable has not been found to be exploitable in reasonable scenarios. A future update may update JQuery to a fixed version.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4142 https://access.redhat.com/errata/RHSA-2021:4142