1950915 – XSS Vulnerability with Noobaa version 5.5.0-3bacc6b

Bug 1950915 - XSS Vulnerability with Noobaa version 5.5.0-3bacc6b

Summary: XSS Vulnerability with Noobaa version 5.5.0-3bacc6b

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenShift Container Storage
Classification:	Red Hat Storage
Component:	Multi-Cloud Object Gateway
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	OCS 4.6.5
Assignee:	Nimrod Becker
QA Contact:	Filip Balák
Docs Contact:
URL:
Whiteboard:
Depends On:	1943388
Blocks:	1950906
TreeView+	depends on / blocked

Reported:	2021-04-19 07:03 UTC by Nimrod Becker
Modified:	2021-06-17 15:47 UTC (History)
CC List:	9 users (show)
Fixed In Version:	4.6.5-411.ci
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1943388
Environment:
Last Closed:	2021-06-17 15:46:42 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Before fix (58.64 KB, image/png) 2021-05-27 12:23 UTC, Filip Balák	no flags	Details
After fix (51.24 KB, image/png) 2021-05-27 12:24 UTC, Filip Balák	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	noobaa noobaa-core pull 6527	0	None	closed	Backport to 5.6	2021-05-23 06:56:07 UTC
Red Hat Product Errata	RHSA-2021:2479	0	None	None	None	2021-06-17 15:47:05 UTC

Comment 10 Filip Balák 2021-05-27 12:23:52 UTC

Created attachment 1787610 [details]
Before fix

Comment 11 Filip Balák 2021-05-27 12:24:57 UTC

Created attachment 1787611 [details]
After fix

Comment 12 Filip Balák 2021-05-27 12:40:55 UTC

As Eran wrote in https://bugzilla.redhat.com/show_bug.cgi?id=1943388#c17, the vulnerability is not exploitable with provided payload because browsers encode the url. Used payload in browser before the fix can be seen in attachment 1787610 [details].

The url is not rendered in error page anymore after the fix as seen in attachment 1787611 [details]. This prevents attack described in this BZ. --> VERIFIED

Tested with:
OCS before fix: 4.5.2-146.ci
OCS after fix: 4.6.5-411.ci

Comment 19 errata-xmlrpc 2021-06-17 15:46:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenShift Container Storage 4.6.5 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2479

Note You need to log in before you can comment on or make changes to this bug.