Bug 1695901 (CVE-2019-10179) - CVE-2019-10179 pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab
Summary: CVE-2019-10179 pki-core/pki-kra: Reflected XSS in recoveryID search field at ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10179
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1724713 1724714 1797689 1842734 1926316 1926317
Blocks: 1695902
TreeView+ depends on / blocked
 
Reported: 2019-04-03 21:19 UTC by Pedro Sampaio
Modified: 2021-03-23 16:46 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:21:18 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4847 0 None None None 2020-11-04 03:14:42 UTC
Red Hat Product Errata RHSA-2021:0819 0 None None None 2021-03-15 13:25:58 UTC
Red Hat Product Errata RHSA-2021:0851 0 None None None 2021-03-16 13:48:09 UTC
Red Hat Product Errata RHSA-2021:0975 0 None None None 2021-03-23 16:46:51 UTC

Description Pedro Sampaio 2019-04-03 21:19:03 UTC
A flaw was found in recoveryID search field at KRA's DRM agent page in authorize recovery tab, this user input is not being sanitized and therefore it is vulnerable to a reflected XSS.

Comment 1 Cedric Buissart 2019-05-29 09:44:18 UTC
Acknowledgments:

Name: Pritam Singh (Red Hat)

Comment 7 Cedric Buissart 2020-02-03 16:30:40 UTC
Statement:

This vulnerability is rated Low : the web UI uses client TLS authentication, therefore stealing session cookies will not be sufficient for unauthorized access. The vulnerable page itself does not contain secrets.

Comment 8 Cedric Buissart 2020-02-03 16:31:08 UTC
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1797689]

Comment 9 Salvatore Bonaccorso 2020-02-07 06:28:57 UTC
Do you know if this was reported in the upstream issue tracker and there is a fix?

Comment 10 Cedric Buissart 2020-02-07 14:02:39 UTC
Upstream is aware. There is currently no fix.
However, the security consequences are very limited. 
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. 
At the moment, the only concerns are defacing.

If/when there is a fix upstream, it will be posted on this bug tracker.

I hope this helps!

Comment 11 Product Security DevOps Team 2020-11-04 02:21:18 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10179

Comment 12 errata-xmlrpc 2020-11-04 03:14:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847

Comment 13 Alex Scheel 2020-12-02 16:49:19 UTC
Fixed by 8884b4344225bd6656876d9e2a58b3268e9a899b and a93a65be0b1bcf94e004ba59c6a0c8a2c086936f upstream.

Comment 14 errata-xmlrpc 2021-03-15 13:25:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0819 https://access.redhat.com/errata/RHSA-2021:0819

Comment 15 errata-xmlrpc 2021-03-16 13:48:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0851 https://access.redhat.com/errata/RHSA-2021:0851

Comment 16 errata-xmlrpc 2021-03-23 16:46:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0975 https://access.redhat.com/errata/RHSA-2021:0975


Note You need to log in before you can comment on or make changes to this bug.