Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server. https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf https://github.com/apostrophecms/apostrophe/discussions/4436 https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4 https://github.com/apostrophecms/sanitize-html/pull/650 https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
Created glances tracking bugs for this issue: Affects: epel-all [bug 2266114] Affects: fedora-all [bug 2266116] Created golang-github-apache-beam-2 tracking bugs for this issue: Affects: fedora-all [bug 2266117] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2266115] Created jupyterlab tracking bugs for this issue: Affects: fedora-all [bug 2266118] Created python-ipyparallel tracking bugs for this issue: Affects: fedora-all [bug 2266119] Created rstudio tracking bugs for this issue: Affects: fedora-all [bug 2266120]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:1770 https://access.redhat.com/errata/RHSA-2024:1770
This issue has been solved in RHACM 2.10.1 with this public advisory https://access.redhat.com/errata/RHBA-2024:1793
This issue has been solved in RHACM 2.9.4 via this public advisory https://access.redhat.com/errata/RHBA-2024:3593
This issue has been solved in MCE 2.5.2 via this public advisory https://access.redhat.com/errata/RHBA-2024:1775
This issue has been solved in MCE 2.4.5 via this public advisory https://access.redhat.com/errata/RHBA-2024:3555