A remote code execution vulnerability exists in Xterm.js before versions 3.8.1, 3.9.2 and 3.10.1 when the component mishandles special characters. Upstream Releases: https://github.com/xtermjs/xterm.js/releases/tag/3.8.1 https://github.com/xtermjs/xterm.js/releases/tag/3.9.2 https://github.com/xtermjs/xterm.js/releases/tag/3.10.1
Upstream Patches: https://github.com/xtermjs/xterm.js/commit/50abb43e https://github.com/xtermjs/xterm.js/commit/eeca95b6 https://github.com/xtermjs/xterm.js/commit/f3bfcc36 https://github.com/xtermjs/xterm.js/commit/3592c641
Statement: This issue affects both the atomic-openshift-web-console RPM and openshift3/ose-console container image shipped in OpenShift Container Platform. These components provide a web console for opening in-browser terminals in cluster pods. Successful exploitation of this issue would require an attacker to convince an authorized user to open an in-browser terminal on a target pod and execute a command that prints attacker-controlled input. Red Hat Product Security have rated this issue as having security impact of Moderate. A future update may address this issue.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:1422 https://access.redhat.com/errata/RHSA-2019:1422
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2019:2552 https://access.redhat.com/errata/RHSA-2019:2552
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.9 Via RHSA-2019:2551 https://access.redhat.com/errata/RHSA-2019:2551