Versions of bootstrap-select prior to 1.13.6 are vulnerable to Cross-Site Scripting (XSS). The package does not escape title values on <option> tags. This may allow attackers to execute arbitrary JavaScript in a victim's browser. References: https://github.com/advisories/GHSA-9r7h-6639-v5mw
Upstream fix: https://github.com/snapappointments/bootstrap-select/commit/9c0dc0dc06258c5993be3e5048b8919377a704ec
External References: https://github.com/advisories/GHSA-9r7h-6639-v5mw https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
Whilst yarn does report that both openshift3/ose-console and openshift4/ose-console containers do have bootstrap-select dependencies, when inspecting the webpack output the bootstrap-select code is not actually bundled (only some of the css stylesheets). Hence both containers are marked not affected.
Statement: In OpenShift Service Mesh (OSSM) the openshift-service-mesh/kiali-rhel7 container (which installs the kiali rpm) is behind OpenShift OAuth authentication restricting access to the vulnerable bootstrap-select library to authenticated users only, therefore the impact is low.
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:1169 https://access.redhat.com/errata/RHSA-2021:1169
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:1186 https://access.redhat.com/errata/RHSA-2021:1186
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20921