The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. Reference: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99 https://github.com/PrismJS/prism/pull/3341 https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c
Affects prism versions after v1.14.0.
Could you please elaborate, how the CC list was compiled? I can't see myself anyhow related to this issue. I think that bit of clarity would help.
In reply to comment #7: > Could you please elaborate, how the CC list was compiled? I can't see myself > anyhow related to this issue. I think that bit of clarity would help. Hi Vit, Usually, it's compiled with input from the ENG contact when we're onboarding a product, the cc list is defined in product definitions. Thanks.
(In reply to Sandipan Roy from comment #9) > In reply to comment #7: > > Could you please elaborate, how the CC list was compiled? I can't see myself > > anyhow related to this issue. I think that bit of clarity would help. > > Hi Vit, > > Usually, it's compiled with input from the ENG contact when we're onboarding > a product, the cc list is defined in product definitions. > > Thanks. Thanks, unfortunately that does not help me to understand how I got on the list and if I should pay some attention. So I still wonder how I got on the list?
Created golang-ariga-atlas tracking bugs for this issue: Affects: fedora-34 [bug 2077093] Affects: fedora-35 [bug 2077101] Affects: fedora-all [bug 2077113] Created golang-github-hashicorp-consul-api tracking bugs for this issue: Affects: fedora-34 [bug 2077094] Affects: fedora-35 [bug 2077102] Affects: fedora-all [bug 2077114] Created golang-github-hashicorp-consul-sdk tracking bugs for this issue: Affects: fedora-34 [bug 2077095] Affects: fedora-35 [bug 2077103] Affects: fedora-all [bug 2077115] Created grafana tracking bugs for this issue: Affects: fedora-34 [bug 2077097] Affects: fedora-35 [bug 2077104] Affects: fedora-all [bug 2077116] Created python-drf-yasg tracking bugs for this issue: Affects: epel-8 [bug 2077092] Affects: epel-all [bug 2077112] Affects: fedora-34 [bug 2077098] Affects: fedora-35 [bug 2077106] Affects: fedora-all [bug 2077117] Created vagrant tracking bugs for this issue: Affects: fedora-34 [bug 2077099] Affects: fedora-35 [bug 2077109] Affects: fedora-all [bug 2077118]
(In reply to Vít Ondruch from comment #10) > (In reply to Sandipan Roy from comment #9) > > In reply to comment #7: > > > Could you please elaborate, how the CC list was compiled? I can't see myself > > > anyhow related to this issue. I think that bit of clarity would help. > > > > Hi Vit, > > > > Usually, it's compiled with input from the ENG contact when we're onboarding > > a product, the cc list is defined in product definitions. > > > > Thanks. > > Thanks, unfortunately that does not help me to understand how I got on the > list and if I should pay some attention. So I still wonder how I got on the > list? Ok, since there were ~month later reported Vagrant trackers, it is obvious where does this comes from now. Nevertheless, it seems that the prism.js is mentioned just in source tarball in package-lock.json. I don't think it is even included in the sources and it is definitely not included in the resulting RPMs, so I don't think this is right approach. So is there chance to reconsider this? Who to talk to about this?
(In reply to Vít Ondruch from comment #17) > Ok, since there were ~month later reported Vagrant trackers, it is obvious > where does this comes from now. Nevertheless, it seems that the prism.js is > mentioned just in source tarball in package-lock.json. I don't think it is > even included in the sources and it is definitely not included in the > resulting RPMs, so I don't think this is right approach. So is there chance > to reconsider this? Who to talk to about this? BTW there are also other trackers such as CVE-2022-29078 and CVE-2021-23566, so I'd like to stop this.
(In reply to Vít Ondruch from comment #18) > (In reply to Vít Ondruch from comment #17) > > Ok, since there were ~month later reported Vagrant trackers, it is obvious > > where does this comes from now. Nevertheless, it seems that the prism.js is > > mentioned just in source tarball in package-lock.json. I don't think it is > > even included in the sources and it is definitely not included in the > > resulting RPMs, so I don't think this is right approach. So is there chance > > to reconsider this? Who to talk to about this? > > BTW there are also other trackers such as CVE-2022-29078 and CVE-2021-23566, > so I'd like to stop this. And CVE-2022-1365, where it is again not clear.
(In reply to Sandipan Roy from comment #20) > In reply to comment #17: > > Ok, since there were ~month later reported Vagrant trackers, it is obvious > > where does this comes from now. Nevertheless, it seems that the prism.js is > > mentioned just in source tarball in package-lock.json. I don't think it is > > even included in the sources and it is definitely not included in the > > resulting RPMs, so I don't think this is right approach. So is there chance > > to reconsider this? Who to talk to about this? > > I do not understand what specific Product or specific Product Component You > are talking about. Fedora > And if you think that prism.js is only a build dependency or does not affect > our product then you or engineering team can close the bug as WONTFIX. prism.js is not even build dependency. It is not included in the sources nor in build output. It is just mentioned in package-lock.json. But the problem is that somebody scans the package-lock.json and all the JS libraries mentioned there are treated as if the Vagrant was vulnerable. That is one think, but also: 1) If the Vagrant Fedora trackers were reported immediately, it would be obvious where this comes from. This is not the case. 2) The problem is the scale, I have just mentioned above 4 CVEs reported against Vagrant and I don't want to close each as WONTFIX. 3) The amount of emails I receive due to these trackers is unbelievable. Just for this specific CVE, I have received 38 email notifications so far. 20 emails for CVE-2022-29078, 47 emails about CVE-2021-23566 and 9 emails for CVE-2022-1365, where the Fedora Vagrant trackers were not created yet, so I might just wonder why I am on CC. So far, it is 114 emails I should have never received, so the WONTFIX is not solution. This is just great loss of time I'd like to avoid.
This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835
This issue has been addressed in the following products: Red Hat Data Grid 8.4.0 Via RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-23647