Bug 1850119 (CVE-2020-7656) - CVE-2020-7656 jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces
Summary: CVE-2020-7656 jquery: Cross-site scripting (XSS) via <script> HTML tags conta...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-7656
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1850120 1850123 1850134 1850135 1850138 1850139 1850121 1850125 1850126 1850127 1850128 1850129 1850130 1850131 1850132 1850133 1850136 1850137 1859615 1859616 1859617 1859618 1859619 1886340 1886341 1886342 1910644
Blocks: 1850024
TreeView+ depends on / blocked
 
Reported: 2020-06-23 15:07 UTC by Michael Kaplan
Modified: 2022-04-17 20:57 UTC (History)
108 users (show)

Fixed In Version: jquery 1.9.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jquery in versions prior to 1.9.0. A cross-site scripting attack is possible as the load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character which results in the enclosed script logic to be executed. The highest threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2020-10-08 08:21:14 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4211 0 None None None 2020-10-08 07:00:09 UTC
Red Hat Product Errata RHSA-2021:4142 0 None None None 2021-11-09 17:24:15 UTC

Description Michael Kaplan 2020-06-23 15:07:57 UTC
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

https://security.netapp.com/advisory/ntap-20200528-0001/
https://snyk.io/vuln/SNYK-JS-JQUERY-569619

Comment 1 Michael Kaplan 2020-06-23 15:09:53 UTC
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1850138]
Affects: fedora-all [bug 1850136]


Created js-jquery tracking bugs for this issue:

Affects: epel-7 [bug 1850123]
Affects: fedora-all [bug 1850127]


Created js-jquery1 tracking bugs for this issue:

Affects: epel-7 [bug 1850134]
Affects: fedora-all [bug 1850133]


Created js-jquery2 tracking bugs for this issue:

Affects: fedora-all [bug 1850126]


Created python-XStatic-jQuery tracking bugs for this issue:

Affects: epel-7 [bug 1850139]
Affects: fedora-all [bug 1850129]
Affects: openstack-rdo [bug 1850135]


Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: epel-7 [bug 1850121]
Affects: fedora-all [bug 1850128]
Affects: openstack-rdo [bug 1850125]


Created python-tw-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1850137]


Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1850132]
Affects: epel-7 [bug 1850120]
Affects: fedora-all [bug 1850131]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1850130]

Comment 6 Mark Cooper 2020-06-25 06:14:01 UTC
OpenShift ServiceMesh includes jquery versions not vulnerable to this flaw:
  - kiali jquery v3.5.0
  - servicemesh-grafana jquery v3.5.0

Comment 9 Yadnyawalk Tale 2020-06-25 10:46:18 UTC
Removing Satellite 5 from affects list since it is EOL.

Comment 10 Yadnyawalk Tale 2020-06-25 11:00:35 UTC
CloudForms do not use version less than 1.9.0 hence not affected.

[ytale@cordelia]# grep -inr "jQuery JavaScript Library v"
 jquery.js:2: * jQuery JavaScript Library v1.12.4
 jquery2.js:2: * jQuery JavaScript Library v2.2.4
 jquery3.js:2: * jQuery JavaScript Library v3.4.1

Comment 11 Jason Shepherd 2020-06-25 22:19:21 UTC
All OpenShift Container Platform components which include jQuery include a version later than 1.9.0 and are therefore unaffected by this flaw.

Comment 12 Hardik Vyas 2020-06-26 13:20:39 UTC
Non of the storage products include affected version of jQuery, hence not affected by this flaw.

Ceph-3 grafana : jquery-3.3.1
Ceph-3 grafana-container : jquery-3.3.1
Ceph-4 grafana-container : jquery-3.3.1
Gluster grafana-4.6.4-1.el7rhgs : jquery-3.2.1

Comment 13 Stoyan Nikolov 2020-06-30 06:56:22 UTC
RHEV-M projects use jquery 3.4.1 thus not affected

Comment 15 errata-xmlrpc 2020-10-08 07:00:11 UTC
This issue has been addressed in the following products:

  A-MQ Interconnect 1.y for RHEL 7
  A-MQ Interconnect 1.y for RHEL 6
  A-MQ Interconnect 1.y for RHEL 8

Via RHSA-2020:4211 https://access.redhat.com/errata/RHSA-2020:4211

Comment 16 Product Security DevOps Team 2020-10-08 08:21:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7656

Comment 17 Cedric Buissart 2020-10-08 08:56:03 UTC
Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 1886340]

Comment 19 Cedric Buissart 2020-10-08 09:13:01 UTC
Statement:

Red Hat Enterprise Linux version 6, 7 and 8 ship a vulnerable version of JQuery in the `pcs` component. However the vulnerable has not been found to be exploitable in reasonable scenarios. A future update may update JQuery to a fixed version.

Comment 21 errata-xmlrpc 2021-11-09 17:24:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4142 https://access.redhat.com/errata/RHSA-2021:4142


Note You need to log in before you can comment on or make changes to this bug.