A cross-site scripting (XSS) vulnerability in the htmlPrefilter method of jQuery before 3.5.0. References: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://github.com/jquery/jquery/pull/4642 https://github.com/jquery/jquery/pull/4647 https://seclists.org/fulldisclosure/2020/Apr/46 Upstream fix: https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
Created drupal7 tracking bugs for this issue: Affects: epel-all [bug 1828417] Affects: fedora-all [bug 1828416] Created js-jquery tracking bugs for this issue: Affects: epel-7 [bug 1828410] Affects: fedora-all [bug 1828419] Created js-jquery1 tracking bugs for this issue: Affects: epel-7 [bug 1828407] Affects: fedora-all [bug 1828414] Created js-jquery2 tracking bugs for this issue: Affects: fedora-all [bug 1828420] Created python-XStatic-jQuery tracking bugs for this issue: Affects: epel-7 [bug 1828411] Affects: fedora-all [bug 1828422] Affects: openstack-rdo [bug 1828413] Created python-XStatic-jquery-ui tracking bugs for this issue: Affects: epel-7 [bug 1828408] Affects: fedora-all [bug 1828421] Affects: openstack-rdo [bug 1828415] Created python-tw-jquery tracking bugs for this issue: Affects: epel-6 [bug 1828418] Created python-tw2-jquery tracking bugs for this issue: Affects: epel-6 [bug 1828426] Affects: epel-7 [bug 1828412] Affects: fedora-all [bug 1828424] Created rubygem-jquery-rails tracking bugs for this issue: Affects: fedora-all [bug 1828423] Created rubygem-jquery-ui-rails tracking bugs for this issue: Affects: fedora-all [bug 1828425]
OpenShift ServiceMesh packages an affected version of jQuery (v3.4.1) in the kiali and servicemesh-grafana components.
External References: https://github.com/advisories/GHSA-gxr4-xjj5-5px2
Red Hat Enterprise Linux 7's ipa, publican, and python-coverage packages ship versions of jquery which are affected by this flaw. Red Hat Enterprise Linux 8's idm:DL1 stream has ipa which ships an affected version of jquery. Red Hat Software Collections python27-python-coverage and python27-python-werkzeug are also affected.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2217 https://access.redhat.com/errata/RHSA-2020:2217
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11022
This issue has been addressed in the following products: Openshift Service Mesh 1.0 OpenShift Service Mesh 1.0 Via RHSA-2020:2362 https://access.redhat.com/errata/RHSA-2020:2362
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.1 Via RHSA-2020:2813 https://access.redhat.com/errata/RHSA-2020:2813
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247
Statement: No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.
Comment #4, Comment #5 are outdated and made earlier before advisory update of 30 may, please ignore those. Sat5 is OOSS now, in Sat6 we are not shipping jquery, marking not-affected. [However many gems bundle those as part of asset, doc, etc. Raising tracker (bug 1869802) for engineering to take a look at that.. in case we can do anything about them].
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3807 https://access.redhat.com/errata/RHSA-2020:3807
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3936 https://access.redhat.com/errata/RHSA-2020:3936
This issue has been addressed in the following products: A-MQ Interconnect 1.y for RHEL 7 A-MQ Interconnect 1.y for RHEL 6 A-MQ Interconnect 1.y for RHEL 8 Via RHSA-2020:4211 https://access.redhat.com/errata/RHSA-2020:4211
*** Bug 1888540 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4670 https://access.redhat.com/errata/RHSA-2020:4670
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847
This issue has been addressed in the following products: Red Hat Ansible Tower 3.7 for RHEL 7 Via RHSA-2020:5249 https://access.redhat.com/errata/RHSA-2020:5249
This issue has been addressed in the following products: Red Hat Ansible Tower 3.6 for RHEL 7 Via RHSA-2021:0778 https://access.redhat.com/errata/RHSA-2021:0778
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:6393 https://access.redhat.com/errata/RHSA-2022:6393
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:0553 https://access.redhat.com/errata/RHSA-2023:0553
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:0552 https://access.redhat.com/errata/RHSA-2023:0552
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:0554 https://access.redhat.com/errata/RHSA-2023:0554
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2023:0556 https://access.redhat.com/errata/RHSA-2023:0556
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049