External References:

https://www.tenable.com/security/research/tra-2021-05

No upstream fix as the upstream maintainers do not agree this is a security issue.

From the report, https://www.tenable.com/security/research/tra-2021-05, yes the example works but I suppose it wasn't designed to load local resources? Prob not much of an issue from a client side perspective (maybe some scenarios where maybe some data could be leaked back to the server) but from a server perspective maybe if new JSDOM from source is using un-trusted input then feasible it could load server resources. 

BUT that is kinda what that function is designed to do, so I do understand where the maintainers are coming from here.

From an OCP and OSSM perspective, none of the components are enabling the loading of resources and are only using jsdom in a testing context. Hence they've been marked as Low, and wontfix.

Statement:

For an application which includes jsdom to be vulnerable to this CVE, it must at least enable the loading of resources using something similar to: `new JSDOM(html, {resources: "usable"}`, where `html` is un-trusted input. Furthermore, scripts can be executed by extending the options similar to: `new JSDOM(html, {resources: "usable", runScripts: "dangerously"}`. [1]

OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) both include components that package a vulnerable version of `jsdom`. However, none of the components directly enable the loading of resources via `resources: "usable"` and most components only include `jsdom` for use in tests. Hence for OCP and OSSM the affects are rated to have a Low impact and are wontfix at this time and might be fixed in a future release.

[1] https://github.com/jsdom/jsdom#loading-subresources

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20066