A flaw was found in xmlhttprequest before 1.7.0 and all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run. References: https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938 https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935 https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
Created nodejs-xmlhttprequest tracking bugs for this issue: Affects: fedora-all [bug 1935979] Created nodejs-xmlhttprequest-ssl tracking bugs for this issue: Affects: fedora-32 [bug 1935980]
upstream fix: https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6
XMLHTTPRequest is included in Red Hat Quay as a dependency of engine.io-client, which is a development dependency and only used at build time.
External References: https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938
OpenShift Container Platform (OCP) grafana-container for 4.5 still has references to xmlhttprequest, as it is version grafana v6.5.3. However it's xmlhttprequest v1.8.0 and is not affected. For OpenShift ServiceMesh (OSSM) it's using grafana v6.4.3 and that is a vulnerable version of xmlhttprequest. However the only reference to it in the code is from d3-request which using it to push to jsDelivr: https://github.com/d3/d3-request/blob/62551679e4f8a0cbce222174db8dcbcf3b0fd437/package.json#L20 Also checked the delivered container itself for markers from the xmlhttprequest source and couldn't find anything. Hence it's been marked as not affected.
Statement: While the OpenShift ServiceMesh (OSSM) grafana-container source does have a vulnerable version of the nodejs-xmlhttprequest, it does not bundle or use the library in the released product. Therefore, the container has been marked `not affected`. For the OpenShift Container Platform (OCP), the grafana-container for OCP 4.5 is already using a non-affected version of xmlhttprequest (v1.8.0). Later versions of the container (4.6+) don't include xmlhttprequest. For Red Hat Advanced Cluster Management for Kubernetes (RHACM), the different components using xmlhttprequest is already using a non-affected version (v1.8.0). Therefore, all supported RHACM versions have been marked `not affected`. For Red Hat Ceph Storage (RHCS) 3 and 4 the grafana-container is already using a non-affected version of xmlhttprequest (v1.8.0).