Bug 2056643 (CVE-2022-23647) - CVE-2022-23647 prismjs: improperly escaped output allows a XSS
Summary: CVE-2022-23647 prismjs: improperly escaped output allows a XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-23647
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2065431 2065432 2077092 2077093 2077094 2077095 2077097 2077098 2077099 2077101 2077102 2077103 2077104 2077105 2077106 2077107 2077108 2077109 2077110 2077111 2077112 2077113 2077114 2077115 2077116 2077117 2077118
Blocks: 2064238
TreeView+ depends on / blocked
 
Reported: 2022-02-21 17:10 UTC by Marian Rehak
Modified: 2023-09-01 03:00 UTC (History)
72 users (show)

Fixed In Version: prismjs 1.27.0
Doc Type: If docs needed, set a value
Doc Text:
A Cross-site scripting attack was found in Prism. The command-line plugin did not properly escape its output. This issue leads to the input text being inserted into the Document Object Model (DOM) as HTML code, which can be exploited by an attacker.
Clone Of:
Environment:
Last Closed: 2022-12-07 11:33:13 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6835 0 None None None 2022-10-06 12:27:24 UTC
Red Hat Product Errata RHSA-2022:8524 0 None None None 2022-11-17 13:40:16 UTC

Description Marian Rehak 2022-02-21 17:10:53 UTC
The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.

Reference:

https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
https://github.com/PrismJS/prism/pull/3341
https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c

Comment 4 Sage McTaggart 2022-03-18 18:17:38 UTC
Affects prism versions after v1.14.0.

Comment 7 Vít Ondruch 2022-03-23 16:50:15 UTC
Could you please elaborate, how the CC list was compiled? I can't see myself anyhow related to this issue. I think that bit of clarity would help.

Comment 9 Sandipan Roy 2022-03-24 12:18:14 UTC
In reply to comment #7:
> Could you please elaborate, how the CC list was compiled? I can't see myself
> anyhow related to this issue. I think that bit of clarity would help.

Hi Vit,

Usually, it's compiled with input from the ENG contact when we're onboarding a product, the cc list is defined in product definitions.

Thanks.

Comment 10 Vít Ondruch 2022-03-25 14:59:56 UTC
(In reply to Sandipan Roy from comment #9)
> In reply to comment #7:
> > Could you please elaborate, how the CC list was compiled? I can't see myself
> > anyhow related to this issue. I think that bit of clarity would help.
> 
> Hi Vit,
> 
> Usually, it's compiled with input from the ENG contact when we're onboarding
> a product, the cc list is defined in product definitions.
> 
> Thanks.

Thanks, unfortunately that does not help me to understand how I got on the list and if I should pay some attention. So I still wonder how I got on the list?

Comment 14 Sage McTaggart 2022-04-20 17:15:27 UTC
Created golang-ariga-atlas tracking bugs for this issue:

Affects: fedora-34 [bug 2077093]
Affects: fedora-35 [bug 2077101]
Affects: fedora-all [bug 2077113]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-34 [bug 2077094]
Affects: fedora-35 [bug 2077102]
Affects: fedora-all [bug 2077114]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-34 [bug 2077095]
Affects: fedora-35 [bug 2077103]
Affects: fedora-all [bug 2077115]


Created grafana tracking bugs for this issue:

Affects: fedora-34 [bug 2077097]
Affects: fedora-35 [bug 2077104]
Affects: fedora-all [bug 2077116]


Created python-drf-yasg tracking bugs for this issue:

Affects: epel-8 [bug 2077092]
Affects: epel-all [bug 2077112]
Affects: fedora-34 [bug 2077098]
Affects: fedora-35 [bug 2077106]
Affects: fedora-all [bug 2077117]


Created vagrant tracking bugs for this issue:

Affects: fedora-34 [bug 2077099]
Affects: fedora-35 [bug 2077109]
Affects: fedora-all [bug 2077118]

Comment 17 Vít Ondruch 2022-04-28 09:37:56 UTC
(In reply to Vít Ondruch from comment #10)
> (In reply to Sandipan Roy from comment #9)
> > In reply to comment #7:
> > > Could you please elaborate, how the CC list was compiled? I can't see myself
> > > anyhow related to this issue. I think that bit of clarity would help.
> > 
> > Hi Vit,
> > 
> > Usually, it's compiled with input from the ENG contact when we're onboarding
> > a product, the cc list is defined in product definitions.
> > 
> > Thanks.
> 
> Thanks, unfortunately that does not help me to understand how I got on the
> list and if I should pay some attention. So I still wonder how I got on the
> list?

Ok, since there were ~month later reported Vagrant trackers, it is obvious where does this comes from now. Nevertheless, it seems that the prism.js is mentioned just in source tarball in package-lock.json. I don't think it is even included in the sources and it is definitely not included in the resulting RPMs, so I don't think this is right approach. So is there chance to reconsider this? Who to talk to about this?

Comment 18 Vít Ondruch 2022-04-28 09:40:53 UTC
(In reply to Vít Ondruch from comment #17)
> Ok, since there were ~month later reported Vagrant trackers, it is obvious
> where does this comes from now. Nevertheless, it seems that the prism.js is
> mentioned just in source tarball in package-lock.json. I don't think it is
> even included in the sources and it is definitely not included in the
> resulting RPMs, so I don't think this is right approach. So is there chance
> to reconsider this? Who to talk to about this?

BTW there are also other trackers such as CVE-2022-29078 and CVE-2021-23566, so I'd like to stop this.

Comment 19 Vít Ondruch 2022-04-28 09:43:59 UTC
(In reply to Vít Ondruch from comment #18)
> (In reply to Vít Ondruch from comment #17)
> > Ok, since there were ~month later reported Vagrant trackers, it is obvious
> > where does this comes from now. Nevertheless, it seems that the prism.js is
> > mentioned just in source tarball in package-lock.json. I don't think it is
> > even included in the sources and it is definitely not included in the
> > resulting RPMs, so I don't think this is right approach. So is there chance
> > to reconsider this? Who to talk to about this?
> 
> BTW there are also other trackers such as CVE-2022-29078 and CVE-2021-23566,
> so I'd like to stop this.

And CVE-2022-1365, where it is again not clear.

Comment 22 Vít Ondruch 2022-04-28 10:16:41 UTC
(In reply to Sandipan Roy from comment #20)
> In reply to comment #17:
> > Ok, since there were ~month later reported Vagrant trackers, it is obvious
> > where does this comes from now. Nevertheless, it seems that the prism.js is
> > mentioned just in source tarball in package-lock.json. I don't think it is
> > even included in the sources and it is definitely not included in the
> > resulting RPMs, so I don't think this is right approach. So is there chance
> > to reconsider this? Who to talk to about this?
> 
> I do not understand what specific Product or specific Product Component You
> are talking about.

Fedora

> And if you think that prism.js is only a build dependency or does not affect
> our product then you or engineering team can close the bug as WONTFIX.

prism.js is not even build dependency. It is not included in the sources nor in build output. It is just mentioned in package-lock.json. But the problem is that somebody scans the package-lock.json and all the JS libraries mentioned there are treated as if the Vagrant was vulnerable. That is one think, but also:

1) If the Vagrant Fedora trackers were reported immediately, it would be obvious where this comes from. This is not the case.
2) The problem is the scale, I have just mentioned above 4 CVEs reported against Vagrant and I don't want to close each as WONTFIX.
3) The amount of emails I receive due to these trackers is unbelievable. Just for this specific CVE, I have received 38 email notifications so far. 20 emails for CVE-2022-29078, 47 emails about CVE-2021-23566 and 9 emails for CVE-2022-1365, where the Fedora Vagrant trackers were not created yet, so I might just wonder why I am on CC.

So far, it is 114 emails I should have never received, so the WONTFIX is not solution. This is just great loss of time I'd like to avoid.

Comment 30 errata-xmlrpc 2022-10-06 12:27:19 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835

Comment 31 errata-xmlrpc 2022-11-17 13:40:13 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.0

Via RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524

Comment 32 Product Security DevOps Team 2022-12-07 11:33:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23647


Note You need to log in before you can comment on or make changes to this bug.