Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-7656
Vulnerability from cvelistv5
Published
2020-05-19 00:00
Modified
2024-08-04 09:33
Severity ?
EPSS score ?
Summary
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T09:33:19.995Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20200528-0001/" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619" }, { "tags": [ "x_transferred" ], "url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "jquery", "vendor": "n/a", "versions": [ { "status": "affected", "version": "All versions prior to version 1.9.0" } ] } ], "descriptions": [ { "lang": "en", "value": "jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character, i.e: \"\u003c/script \u003e\", which results in the enclosed script logic to be executed." } ], "problemTypes": [ { "descriptions": [ { "description": "Cross-site Scripting", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-13T00:00:00", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk" }, "references": [ { "url": "https://security.netapp.com/advisory/ntap-20200528-0001/" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619" }, { "url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US" } ] } }, "cveMetadata": { "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7656", "datePublished": "2020-05-19T00:00:00", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-08-04T09:33:19.995Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2020-7656\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2020-05-19T21:15:10.257\",\"lastModified\":\"2024-11-21T05:37:33.227\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove \\\"\u003cscript\u003e\\\" HTML tags that contain a whitespace character, i.e: \\\"\u003c/script \u003e\\\", which results in the enclosed script logic to be executed.\"},{\"lang\":\"es\",\"value\":\"jquery versiones anteriores a 1.9.0, permite ataques de tipo Cross-site Scripting por medio del m\u00e9todo de carga. El m\u00e9todo de carga presenta un fallo al reconocer y eliminar las etiquetas HTML \\\"(script)\\\" que contienen un car\u00e1cter de espacio en blanco, es decir: \\\"(/script )\\\", lo cual resulta en que la l\u00f3gica de script adjunta sea ejecutada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jquery:jquery:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.9.0\",\"matchCriteriaId\":\"49F1A5F5-D118-444E-B0EA-757DD5E181AC\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*\",\"matchCriteriaId\":\"F3E0B672-3E06-4422-B2A4-0BD073AEC2A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*\",\"matchCriteriaId\":\"3A756737-1CC4-42C2-A4DF-E1C893B4E2D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*\",\"matchCriteriaId\":\"B55E8D50-99B4-47EC-86F9-699B67D473CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C2089EE-5D7F-47EC-8EA5-0F69790564C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndIncluding\":\"3.1.3\",\"matchCriteriaId\":\"34B80C9D-62AA-42FA-AB46-F8A414FCBE5E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F4754FB-E3EB-454A-AB1A-AE3835C5350C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"216E7DDE-453D-481F-92E2-9F8466CDDA3F\"}]}]}],\"references\":[{\"url\":\"https://security.netapp.com/advisory/ntap-20200528-0001/\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-JQUERY-569619\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20200528-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-JQUERY-569619\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
ICSA-22-097-01
Vulnerability from csaf_cisa
Published
2022-04-07 00:00
Modified
2022-04-07 00:00
Summary
Pepperl+Fuchs WirelessHART-Gateway
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of these vulnerabilities may result in a denial-of-service condition, code execution, and code exposure.
Critical infrastructure sectors
Multiple
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
CISA recommends users take the following measures to protect themselves from social engineering attacks:
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Exploitability
No known public exploits specifically target these vulnerabilities.
{ "document": { "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordinating these vulnerabilities with Pepperl+Fuchs" } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE", "url": "https://us-cert.cisa.gov/tlp/" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", "title": "CISA Disclaimer" }, { "category": "legal_disclaimer", "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.", "title": "Legal Notice" }, { "category": "summary", "text": "Successful exploitation of these vulnerabilities may result in a denial-of-service condition, code execution, and code exposure.", "title": "Risk evaluation" }, { "category": "other", "text": "Multiple", "title": "Critical infrastructure sectors" }, { "category": "other", "text": "Worldwide", "title": "Countries/areas deployed" }, { "category": "other", "text": "Germany", "title": "Company headquarters location" }, { "category": "general", "text": "CISA recommends users take the following measures to protect themselves from social engineering attacks:", "title": "Recommended Practices" }, { "category": "general", "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.", "title": "Recommended Practices" }, { "category": "general", "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.", "title": "Recommended Practices" }, { "category": "other", "text": "No known public exploits specifically target these vulnerabilities.", "title": "Exploitability" } ], "publisher": { "category": "coordinator", "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "self", "summary": "ICS Advisory ICSA-22-097-01 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-097-01.json" }, { "category": "self", "summary": "ICS Advisory ICSA-22-097-01 Web Version", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-097-01" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B" } ], "title": "Pepperl+Fuchs WirelessHART-Gateway", "tracking": { "current_release_date": "2022-04-07T00:00:00.000000Z", "generator": { "engine": { "name": "CISA CSAF Generator", "version": "1.0.0" } }, "id": "ICSA-22-097-01", "initial_release_date": "2022-04-07T00:00:00.000000Z", "revision_history": [ { "date": "2022-04-07T00:00:00.000000Z", "legacy_version": "Initial", "number": "1", "summary": "ICSA-22-097-01 Pepperl+Fuchs WirelessHART-Gateway" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "3.0.7 | 3.0.8 | 3.0.9", "product": { "name": "WHA-GW-F2D2-0-AS- Z2-ETH: Versions 3.0.7 3.0.8 3.0.9", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "WHA-GW-F2D2-0-AS- Z2-ETH" }, { "branches": [ { "category": "product_version", "name": "3.0.7 | 3.0.8 | 3.0.9", "product": { "name": "WHA-GW-F2D2-0-AS- Z2-ETH.EIP: Versions 3.0.7 3.0.8 3.0.9", "product_id": "CSAFPID-0002" } } ], "category": "product_name", "name": "WHA-GW-F2D2-0-AS- Z2-ETH.EIP" } ], "category": "vendor", "name": "Pepperl+Fuchs" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-34565", "cwe": { "id": "CWE-798", "name": "Use of Hard-coded Credentials" }, "notes": [ { "category": "summary", "text": "The affected product allows active SSH and telnet services with hard-coded credentials.CVE-2021-34565 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34565" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2016-10707", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "jQuery 3.0.0-rc.1 is vulnerable to a denial-of-service condition due to removing a logic a lowercased attribute names. Any attribute using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.CVE-2016-10707 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10707" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34561", "cwe": { "id": "CWE-350", "name": "Reliance on Reverse DNS Resolution for a Security-Critical Action" }, "notes": [ { "category": "summary", "text": "If the application is not externally accessible or uses IP-based access restrictions, attackers can use DNS rebinding to bypass any IP or firewall-based access restrictions by proxying through their target\u0027s browser. This vulnerability only affects Versions 3.0.7 through 3.0.8.CVE-2021-34561 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34561" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-33555", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The filename parameter is vulnerable to unauthenticated path traversal attacks, enabling read access to arbitrary files on the server. This vulnerability only affects Version 3.0.7.CVE-2021-33555 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33555" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2014-6071", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery Version 1.4.2 allows remote attackers to conduct cross-site scripting attacks via vectors related to use of the text method.CVE-2014-6071 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6071" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2012-6708", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 1.9.0 are vulnerable to cross-site scripting attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the \u0027\u003c\u0027 character anywhere in the string, giving attackers more flexibility when attempting to deliver a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the \u0027\u003c\u0027 character, limiting exploitability only to attackers who can control the beginning of a string.CVE-2012-6708 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6708" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2015-9251", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 3.0.0 are vulnerable to cross-site scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.CVE-2015-9251 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9251" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "In jQuery versions between 1.0.3 and 3.5.0, passing HTML containing \u003coption\u003e elements from untrusted sources (even after sanitizing it) to one of jQuery\u0027s DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code. This vulnerability is patched in jQuery 3.5.0.CVE-2020-11023 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "In jQuery versions between 1.2 and 3.5.0, passing HTML from untrusted sources (even after sanitizing it) to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This vulnerability is patched in jQuery 3.5.0.CVE-2020-11022 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 3.4.0, as used in specific products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.CVE-2019-11358 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2020-7656", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 1.9.0 allow cross-site scripting attacks via the load method. The load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character, \"\u003c/script \u003e\", which results in the enclosed script logic to be executed.CVE-2020-7656 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7656" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34560", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "The affected product contains a password field with autocomplete enabled. The stored credentials can be captured by an attacker who gains control over the user\u0027s computer.CVE-2021-34560 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34560" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34564", "cwe": { "id": "CWE-315", "name": "Cleartext Storage of Sensitive Information in a Cookie" }, "notes": [ { "category": "summary", "text": "Cookie stealing vulnerabilities within the application or browser allow an attacker to steal the user\u0027s credentials in Version 3.0.9.CVE-2021-34564 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34564" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34559", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "notes": [ { "category": "summary", "text": "In the affected product, Versions 3.0.7 through 3.0.8 have a vulnerability that may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings.CVE-2021-34559 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34559" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34562", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "In the affected product, Version 3.0.8, it is possible to inject arbitrary JavaScript into the application\u0027s response.CVE-2021-34562 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34562" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2007-2379", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "The jQuery framework exchanges data using JavaScript object notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"CVE-2007-2379 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2379" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2011-4969", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 1.6.3 contain a Cross-site scripting (XSS) vulnerability, which when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.CVE-2011-4969 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34563", "cwe": { "id": "CWE-1004", "name": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag" }, "notes": [ { "category": "summary", "text": "In the affected product, Versions 3.0.8 and 3.0.9, the HttpOnly attribute is not set on a cookie, which allows the cookie\u0027s value to be read or set by client-side JavaScript.CVE-2021-34563 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34563" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2013-0169", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky Thirteen issue.CVE-2013-0169 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] } ] }
icsa-22-097-01
Vulnerability from csaf_cisa
Published
2022-04-07 00:00
Modified
2022-04-07 00:00
Summary
Pepperl+Fuchs WirelessHART-Gateway
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of these vulnerabilities may result in a denial-of-service condition, code execution, and code exposure.
Critical infrastructure sectors
Multiple
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
CISA recommends users take the following measures to protect themselves from social engineering attacks:
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Exploitability
No known public exploits specifically target these vulnerabilities.
{ "document": { "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordinating these vulnerabilities with Pepperl+Fuchs" } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE", "url": "https://us-cert.cisa.gov/tlp/" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", "title": "CISA Disclaimer" }, { "category": "legal_disclaimer", "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.", "title": "Legal Notice" }, { "category": "summary", "text": "Successful exploitation of these vulnerabilities may result in a denial-of-service condition, code execution, and code exposure.", "title": "Risk evaluation" }, { "category": "other", "text": "Multiple", "title": "Critical infrastructure sectors" }, { "category": "other", "text": "Worldwide", "title": "Countries/areas deployed" }, { "category": "other", "text": "Germany", "title": "Company headquarters location" }, { "category": "general", "text": "CISA recommends users take the following measures to protect themselves from social engineering attacks:", "title": "Recommended Practices" }, { "category": "general", "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.", "title": "Recommended Practices" }, { "category": "general", "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.", "title": "Recommended Practices" }, { "category": "other", "text": "No known public exploits specifically target these vulnerabilities.", "title": "Exploitability" } ], "publisher": { "category": "coordinator", "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "self", "summary": "ICS Advisory ICSA-22-097-01 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-097-01.json" }, { "category": "self", "summary": "ICS Advisory ICSA-22-097-01 Web Version", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-097-01" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B" } ], "title": "Pepperl+Fuchs WirelessHART-Gateway", "tracking": { "current_release_date": "2022-04-07T00:00:00.000000Z", "generator": { "engine": { "name": "CISA CSAF Generator", "version": "1.0.0" } }, "id": "ICSA-22-097-01", "initial_release_date": "2022-04-07T00:00:00.000000Z", "revision_history": [ { "date": "2022-04-07T00:00:00.000000Z", "legacy_version": "Initial", "number": "1", "summary": "ICSA-22-097-01 Pepperl+Fuchs WirelessHART-Gateway" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "3.0.7 | 3.0.8 | 3.0.9", "product": { "name": "WHA-GW-F2D2-0-AS- Z2-ETH: Versions 3.0.7 3.0.8 3.0.9", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "WHA-GW-F2D2-0-AS- Z2-ETH" }, { "branches": [ { "category": "product_version", "name": "3.0.7 | 3.0.8 | 3.0.9", "product": { "name": "WHA-GW-F2D2-0-AS- Z2-ETH.EIP: Versions 3.0.7 3.0.8 3.0.9", "product_id": "CSAFPID-0002" } } ], "category": "product_name", "name": "WHA-GW-F2D2-0-AS- Z2-ETH.EIP" } ], "category": "vendor", "name": "Pepperl+Fuchs" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-34565", "cwe": { "id": "CWE-798", "name": "Use of Hard-coded Credentials" }, "notes": [ { "category": "summary", "text": "The affected product allows active SSH and telnet services with hard-coded credentials.CVE-2021-34565 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34565" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2016-10707", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "jQuery 3.0.0-rc.1 is vulnerable to a denial-of-service condition due to removing a logic a lowercased attribute names. Any attribute using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.CVE-2016-10707 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10707" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34561", "cwe": { "id": "CWE-350", "name": "Reliance on Reverse DNS Resolution for a Security-Critical Action" }, "notes": [ { "category": "summary", "text": "If the application is not externally accessible or uses IP-based access restrictions, attackers can use DNS rebinding to bypass any IP or firewall-based access restrictions by proxying through their target\u0027s browser. This vulnerability only affects Versions 3.0.7 through 3.0.8.CVE-2021-34561 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34561" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-33555", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The filename parameter is vulnerable to unauthenticated path traversal attacks, enabling read access to arbitrary files on the server. This vulnerability only affects Version 3.0.7.CVE-2021-33555 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33555" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2014-6071", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery Version 1.4.2 allows remote attackers to conduct cross-site scripting attacks via vectors related to use of the text method.CVE-2014-6071 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6071" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2012-6708", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 1.9.0 are vulnerable to cross-site scripting attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the \u0027\u003c\u0027 character anywhere in the string, giving attackers more flexibility when attempting to deliver a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the \u0027\u003c\u0027 character, limiting exploitability only to attackers who can control the beginning of a string.CVE-2012-6708 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6708" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2015-9251", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 3.0.0 are vulnerable to cross-site scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.CVE-2015-9251 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9251" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "In jQuery versions between 1.0.3 and 3.5.0, passing HTML containing \u003coption\u003e elements from untrusted sources (even after sanitizing it) to one of jQuery\u0027s DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code. This vulnerability is patched in jQuery 3.5.0.CVE-2020-11023 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "In jQuery versions between 1.2 and 3.5.0, passing HTML from untrusted sources (even after sanitizing it) to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This vulnerability is patched in jQuery 3.5.0.CVE-2020-11022 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 3.4.0, as used in specific products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.CVE-2019-11358 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2020-7656", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 1.9.0 allow cross-site scripting attacks via the load method. The load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character, \"\u003c/script \u003e\", which results in the enclosed script logic to be executed.CVE-2020-7656 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7656" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34560", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "The affected product contains a password field with autocomplete enabled. The stored credentials can be captured by an attacker who gains control over the user\u0027s computer.CVE-2021-34560 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34560" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34564", "cwe": { "id": "CWE-315", "name": "Cleartext Storage of Sensitive Information in a Cookie" }, "notes": [ { "category": "summary", "text": "Cookie stealing vulnerabilities within the application or browser allow an attacker to steal the user\u0027s credentials in Version 3.0.9.CVE-2021-34564 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34564" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34559", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "notes": [ { "category": "summary", "text": "In the affected product, Versions 3.0.7 through 3.0.8 have a vulnerability that may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings.CVE-2021-34559 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34559" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34562", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "In the affected product, Version 3.0.8, it is possible to inject arbitrary JavaScript into the application\u0027s response.CVE-2021-34562 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34562" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2007-2379", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "The jQuery framework exchanges data using JavaScript object notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"CVE-2007-2379 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2379" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2011-4969", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "jQuery versions prior to 1.6.3 contain a Cross-site scripting (XSS) vulnerability, which when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.CVE-2011-4969 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2021-34563", "cwe": { "id": "CWE-1004", "name": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag" }, "notes": [ { "category": "summary", "text": "In the affected product, Versions 3.0.8 and 3.0.9, the HttpOnly attribute is not set on a cookie, which allows the cookie\u0027s value to be read or set by client-side JavaScript.CVE-2021-34563 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34563" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] }, { "cve": "CVE-2013-0169", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky Thirteen issue.CVE-2013-0169 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "Minimize network exposure for affected products and ensure they are not accessible via the Internet.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "Isolate affected products from the corporate network.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "If remote access is required, use secure methods such as virtual private networks (VPNs).", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ] }, { "category": "mitigation", "details": "See CERT@VDE\u0027s advisory VDE-2021-027 for more information", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002" ], "url": "https://cert.vde.com/en/advisories/VDE-2021-027/" } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002" ] } ] } ] }
wid-sec-w-2023-0558
Vulnerability from csaf_certbund
Published
2020-05-25 22:00
Modified
2024-05-07 22:00
Summary
jQuery: Schwachstelle ermöglicht Cross-Site Scripting
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
jQuery ist eine freie JavaScript-Bibliothek, die Funktionen zur DOM-Navigation und -Manipulation zur Verfügung stellt.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
- Sonstiges
- UNIX
- Windows
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "jQuery ist eine freie JavaScript-Bibliothek, die Funktionen zur DOM-Navigation und -Manipulation zur Verf\u00fcgung stellt.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0558 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2023-0558.json" }, { "category": "self", "summary": "WID-SEC-2023-0558 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0558" }, { "category": "external", "summary": "NIST Database CVE-2020-7656 vom 2020-05-25", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7656" }, { "category": "external", "summary": "PoC auf snyk.io", "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:4211 vom 2020-10-08", "url": "https://access.redhat.com/errata/RHSA-2020:4211" }, { "category": "external", "summary": "Juniper Security Advisory JSA11203 vom 2021-07-14", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11203\u0026cat=SIRT_1" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:4142 vom 2021-11-09", "url": "https://access.redhat.com/errata/RHSA-2021:4142" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2021-9552 vom 2021-11-19", "url": "https://linux.oracle.com/errata/ELSA-2021-9552.html" }, { "category": "external", "summary": "Tenable Security Advisory TNS-2023-09 vom 2023-03-02", "url": "https://www.tenable.com/security/tns-2023-09" }, { "category": "external", "summary": "SolarWinds Platform 2023.3 Release Notes", "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm" }, { "category": "external", "summary": "IBM Security Bulletin 7060517 vom 2023-10-26", "url": "https://www.ibm.com/support/pages/node/7060517" }, { "category": "external", "summary": "IBM Security Bulletin 7148094 vom 2024-04-11", "url": "https://www.ibm.com/support/pages/node/7148094" }, { "category": "external", "summary": "IBM Security Bulletin 7150527 vom 2024-05-08", "url": "https://www.ibm.com/support/pages/node/7150527" } ], "source_lang": "en-US", "title": "jQuery: Schwachstelle erm\u00f6glicht Cross-Site Scripting", "tracking": { "current_release_date": "2024-05-07T22:00:00.000+00:00", "generator": { "date": "2024-05-08T08:11:04.178+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0558", "initial_release_date": "2020-05-25T22:00:00.000+00:00", "revision_history": [ { "date": "2020-05-25T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2020-10-07T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-07-14T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Juniper aufgenommen" }, { "date": "2021-11-09T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-11-18T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2023-03-02T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Tenable aufgenommen" }, { "date": "2023-07-25T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates aufgenommen" }, { "date": "2023-10-26T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-04-11T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-05-07T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "10" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "7.6.1.2", "product": { "name": "IBM Maximo Asset Management 7.6.1.2", "product_id": "812526", "product_identification_helper": { "cpe": "cpe:/a:ibm:maximo_asset_management:7.6.1.2" } } } ], "category": "product_name", "name": "Maximo Asset Management" }, { "branches": [ { "category": "product_version", "name": "7.5", "product": { "name": "IBM QRadar SIEM 7.5", "product_id": "T022954", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5" } } } ], "category": "product_name", "name": "QRadar SIEM" }, { "branches": [ { "category": "product_version_range", "name": "\u003c5.2.0.0", "product": { "name": "IBM Storage Scale \u003c5.2.0.0", "product_id": "T034454", "product_identification_helper": { "cpe": "cpe:/a:ibm:spectrum_scale:v5.2.0.0" } } }, { "category": "product_version_range", "name": "\u003c5.1.9-2", "product": { "name": "IBM Storage Scale \u003c5.1.9-2", "product_id": "T034597", "product_identification_helper": { "cpe": "cpe:/a:ibm:spectrum_scale:5.1.9-2" } } } ], "category": "product_name", "name": "Storage Scale" } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "Juniper JUNOS", "product": { "name": "Juniper JUNOS", "product_id": "5930", "product_identification_helper": { "cpe": "cpe:/o:juniper:junos:-" } } } ], "category": "vendor", "name": "Juniper" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c1.9.0", "product": { "name": "Open Source jQuery \u003c1.9.0", "product_id": "432958", "product_identification_helper": { "cpe": "cpe:/a:jquery:jquery:1.9.0:-" } } } ], "category": "product_name", "name": "jQuery" } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c2023.3", "product": { "name": "SolarWinds Platform \u003c2023.3", "product_id": "T028897", "product_identification_helper": { "cpe": "cpe:/a:solarwinds:orion_platform:2023.3" } } } ], "category": "product_name", "name": "Platform" } ], "category": "vendor", "name": "SolarWinds" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c10.5.0", "product": { "name": "Tenable Security Nessus \u003c10.5.0", "product_id": "T026604", "product_identification_helper": { "cpe": "cpe:/a:tenable:nessus:10.5.0" } } } ], "category": "product_name", "name": "Nessus" } ], "category": "vendor", "name": "Tenable Security" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-7656", "notes": [ { "category": "description", "text": "In jQuery existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "T022954", "T026604", "67646", "5930", "812526", "T028897", "T004914", "T034454", "T034597" ] }, "release_date": "2020-05-25T22:00:00Z", "title": "CVE-2020-7656" } ] }
WID-SEC-W-2023-0558
Vulnerability from csaf_certbund
Published
2020-05-25 22:00
Modified
2024-05-07 22:00
Summary
jQuery: Schwachstelle ermöglicht Cross-Site Scripting
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
jQuery ist eine freie JavaScript-Bibliothek, die Funktionen zur DOM-Navigation und -Manipulation zur Verfügung stellt.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
- Sonstiges
- UNIX
- Windows
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "jQuery ist eine freie JavaScript-Bibliothek, die Funktionen zur DOM-Navigation und -Manipulation zur Verf\u00fcgung stellt.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0558 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2023-0558.json" }, { "category": "self", "summary": "WID-SEC-2023-0558 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0558" }, { "category": "external", "summary": "NIST Database CVE-2020-7656 vom 2020-05-25", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7656" }, { "category": "external", "summary": "PoC auf snyk.io", "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:4211 vom 2020-10-08", "url": "https://access.redhat.com/errata/RHSA-2020:4211" }, { "category": "external", "summary": "Juniper Security Advisory JSA11203 vom 2021-07-14", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11203\u0026cat=SIRT_1" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:4142 vom 2021-11-09", "url": "https://access.redhat.com/errata/RHSA-2021:4142" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2021-9552 vom 2021-11-19", "url": "https://linux.oracle.com/errata/ELSA-2021-9552.html" }, { "category": "external", "summary": "Tenable Security Advisory TNS-2023-09 vom 2023-03-02", "url": "https://www.tenable.com/security/tns-2023-09" }, { "category": "external", "summary": "SolarWinds Platform 2023.3 Release Notes", "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm" }, { "category": "external", "summary": "IBM Security Bulletin 7060517 vom 2023-10-26", "url": "https://www.ibm.com/support/pages/node/7060517" }, { "category": "external", "summary": "IBM Security Bulletin 7148094 vom 2024-04-11", "url": "https://www.ibm.com/support/pages/node/7148094" }, { "category": "external", "summary": "IBM Security Bulletin 7150527 vom 2024-05-08", "url": "https://www.ibm.com/support/pages/node/7150527" } ], "source_lang": "en-US", "title": "jQuery: Schwachstelle erm\u00f6glicht Cross-Site Scripting", "tracking": { "current_release_date": "2024-05-07T22:00:00.000+00:00", "generator": { "date": "2024-05-08T08:11:04.178+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0558", "initial_release_date": "2020-05-25T22:00:00.000+00:00", "revision_history": [ { "date": "2020-05-25T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2020-10-07T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-07-14T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Juniper aufgenommen" }, { "date": "2021-11-09T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-11-18T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2023-03-02T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Tenable aufgenommen" }, { "date": "2023-07-25T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates aufgenommen" }, { "date": "2023-10-26T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-04-11T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-05-07T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "10" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "7.6.1.2", "product": { "name": "IBM Maximo Asset Management 7.6.1.2", "product_id": "812526", "product_identification_helper": { "cpe": "cpe:/a:ibm:maximo_asset_management:7.6.1.2" } } } ], "category": "product_name", "name": "Maximo Asset Management" }, { "branches": [ { "category": "product_version", "name": "7.5", "product": { "name": "IBM QRadar SIEM 7.5", "product_id": "T022954", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5" } } } ], "category": "product_name", "name": "QRadar SIEM" }, { "branches": [ { "category": "product_version_range", "name": "\u003c5.2.0.0", "product": { "name": "IBM Storage Scale \u003c5.2.0.0", "product_id": "T034454", "product_identification_helper": { "cpe": "cpe:/a:ibm:spectrum_scale:v5.2.0.0" } } }, { "category": "product_version_range", "name": "\u003c5.1.9-2", "product": { "name": "IBM Storage Scale \u003c5.1.9-2", "product_id": "T034597", "product_identification_helper": { "cpe": "cpe:/a:ibm:spectrum_scale:5.1.9-2" } } } ], "category": "product_name", "name": "Storage Scale" } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "Juniper JUNOS", "product": { "name": "Juniper JUNOS", "product_id": "5930", "product_identification_helper": { "cpe": "cpe:/o:juniper:junos:-" } } } ], "category": "vendor", "name": "Juniper" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c1.9.0", "product": { "name": "Open Source jQuery \u003c1.9.0", "product_id": "432958", "product_identification_helper": { "cpe": "cpe:/a:jquery:jquery:1.9.0:-" } } } ], "category": "product_name", "name": "jQuery" } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c2023.3", "product": { "name": "SolarWinds Platform \u003c2023.3", "product_id": "T028897", "product_identification_helper": { "cpe": "cpe:/a:solarwinds:orion_platform:2023.3" } } } ], "category": "product_name", "name": "Platform" } ], "category": "vendor", "name": "SolarWinds" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c10.5.0", "product": { "name": "Tenable Security Nessus \u003c10.5.0", "product_id": "T026604", "product_identification_helper": { "cpe": "cpe:/a:tenable:nessus:10.5.0" } } } ], "category": "product_name", "name": "Nessus" } ], "category": "vendor", "name": "Tenable Security" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-7656", "notes": [ { "category": "description", "text": "In jQuery existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "T022954", "T026604", "67646", "5930", "812526", "T028897", "T004914", "T034454", "T034597" ] }, "release_date": "2020-05-25T22:00:00Z", "title": "CVE-2020-7656" } ] }
gsd-2020-7656
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2020-7656", "description": "jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character, i.e: \"\u003c/script \u003e\", which results in the enclosed script logic to be executed.", "id": "GSD-2020-7656", "references": [ "https://access.redhat.com/errata/RHSA-2021:4142", "https://access.redhat.com/errata/RHSA-2020:4211", "https://linux.oracle.com/cve/CVE-2020-7656.html" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2020-7656" ], "details": "jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character, i.e: \"\u003c/script \u003e\", which results in the enclosed script logic to be executed.", "id": "GSD-2020-7656", "modified": "2023-12-13T01:21:52.174266Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "report@snyk.io", "ID": "CVE-2020-7656", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "jquery", "version": { "version_data": [ { "version_value": "All versions prior to version 1.9.0" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character, i.e: \"\u003c/script \u003e\", which results in the enclosed script logic to be executed." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross-site Scripting" } ] } ] }, "references": { "reference_data": [ { "name": "https://security.netapp.com/advisory/ntap-20200528-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200528-0001/" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619" }, { "name": "https://security.netapp.com/advisory/ntap-20200528-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200528-0001/" }, { "name": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US", "refsource": "MISC", "url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US" } ] } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003c2.2.0", "affected_versions": "All versions before 2.2.0", "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "cwe_ids": [ "CWE-1035", "CWE-79", "CWE-937" ], "date": "2023-07-10", "description": "jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character, i.e: \"\u003c/script \u003e\", which results in the enclosed script logic to be executed.", "fixed_versions": [ "2.2.0" ], "identifier": "CVE-2020-7656", "identifiers": [ "GHSA-q4m3-2j7h-f7xw", "CVE-2020-7656" ], "not_impacted": "All versions starting from 2.2.0", "package_slug": "gem/jquery-rails", "pubdate": "2020-05-20", "solution": "Upgrade to version 2.2.0 or above.", "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2020-7656", "https://snyk.io/vuln/SNYK-JS-JQUERY-569619", "https://security.netapp.com/advisory/ntap-20200528-0001/", "https://www.oracle.com/security-alerts/cpujul2022.html", "https://github.com/jquery/jquery/blob/9e6393b0bcb52b15313f88141d0bd7dd54227426/src/ajax.js#L203", "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#220-19-january-2013", "https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L7481", "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US", "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-7656.yml", "https://github.com/advisories/GHSA-q4m3-2j7h-f7xw" ], "uuid": "3ecbd5f3-d5ac-4596-bb3e-9b8255642347" }, { "affected_range": "\u003c1.9.0", "affected_versions": "All versions before 1.9.0", "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "cwe_ids": [ "CWE-1035", "CWE-79", "CWE-937" ], "date": "2020-05-28", "description": "jQuery, which is used by the rdoc gem, allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove `\u003cscript\u003e` HTML tags that contain a whitespace character, i.e., `\u003c/script \u003e`, which results in the enclosed script logic to be executed.", "fixed_versions": [ "2.0.0" ], "identifier": "CVE-2020-7656", "identifiers": [ "CVE-2020-7656" ], "not_impacted": "All versions starting from 1.9.0", "package_slug": "gem/rdoc", "pubdate": "2020-05-19", "solution": "Upgrade to version 2.0.0 or above.", "title": "Cross-site Scripting", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2020-7656" ], "uuid": "aa33ca08-0d7b-4e26-9ceb-83fbd44e9f05" }, { "affected_range": "\u003c1.9.0", "affected_versions": "All versions before 1.9.0", "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "cwe_ids": [ "CWE-1035", "CWE-79", "CWE-937" ], "date": "2020-05-28", "description": "JQuery allows Cross-site Scripting attacks via the `load` method. The `load` method fails to recognize and remove `\u003cscript\u003e` HTML tags that contain a whitespace character such as `\u003c/script \u003e`.", "fixed_versions": [ "1.9.1" ], "identifier": "CVE-2020-7656", "identifiers": [ "CVE-2020-7656" ], "not_impacted": "All versions starting from 1.9.0", "package_slug": "npm/jquery", "pubdate": "2020-05-19", "solution": "Upgrade to version 1.9.1 or above.", "title": "Cross-site Scripting", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2020-7656" ], "uuid": "65460751-636c-4e9f-9dd3-00bfc7379043" }, { "affected_range": "(,1.9.0)", "affected_versions": "All versions before 1.9.0", "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "cwe_ids": [ "CWE-1035", "CWE-79", "CWE-937" ], "date": "2023-05-30", "description": "jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character, i.e: \"\u003c/script \u003e\", which results in the enclosed script logic to be executed.", "fixed_versions": [ "1.9.0" ], "identifier": "CVE-2020-7656", "identifiers": [ "GHSA-q4m3-2j7h-f7xw", "CVE-2020-7656" ], "not_impacted": "All versions starting from 1.9.0", "package_slug": "nuget/jQuery", "pubdate": "2020-05-20", "solution": "Upgrade to version 1.9.0 or above.", "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2020-7656", "https://snyk.io/vuln/SNYK-JS-JQUERY-569619", "https://security.netapp.com/advisory/ntap-20200528-0001/", "https://github.com/advisories/GHSA-q4m3-2j7h-f7xw", "https://www.npmjs.com/advisories/1524", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "uuid": "014e4e8b-8cb3-4e2e-ad6d-7b607282afdc" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:jquery:jquery:*:*:*:*:*:node.js:*:*", "cpe_name": [], "versionEndExcluding": "1.9.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "3.1.3", "versionStartIncluding": "3.0.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "report@snyk.io", "ID": "CVE-2020-7656" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character, i.e: \"\u003c/script \u003e\", which results in the enclosed script logic to be executed." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-79" } ] } ] }, "references": { "reference_data": [ { "name": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619", "refsource": "MISC", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619" }, { "name": "https://security.netapp.com/advisory/ntap-20200528-0001/", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://security.netapp.com/advisory/ntap-20200528-0001/" }, { "name": "N/A", "refsource": "N/A", "tags": [ "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7 } }, "lastModifiedDate": "2023-06-22T19:49Z", "publishedDate": "2020-05-19T21:15Z" } } }
rhsa-2020_4211
Vulnerability from csaf_redhat
Published
2020-10-08 07:01
Modified
2024-11-15 09:37
Summary
Red Hat Security Advisory: Red Hat AMQ Interconnect 1.9.0 release and security update
Notes
Topic
Red Hat AMQ Interconnect 1.9.0 release packages are available for A-MQ Interconnect on RHEL 6, 7, and 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Interconnect is a component of the AMQ 7 product family. AMQ Interconnect provides flexible routing of messages between AMQP-enabled endpoints, whether they are clients, servers, brokers, or any other entity that can send or receive standard AMQP messages.
This release of Red Hat AMQ Interconnect 1.9.0 serves as a replacement for Red Hat AMQ Interconnect 1.8.0 and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* jQuery: allows XSS via the load method (CVE-2020-7656)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat AMQ Interconnect 1.9.0 release packages are available for A-MQ Interconnect on RHEL 6, 7, and 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat AMQ Interconnect is a component of the AMQ 7 product family. AMQ Interconnect provides flexible routing of messages between AMQP-enabled endpoints, whether they are clients, servers, brokers, or any other entity that can send or receive standard AMQP messages.\n\nThis release of Red Hat AMQ Interconnect 1.9.0 serves as a replacement for Red Hat AMQ Interconnect 1.8.0 and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* jQuery: allows XSS via the load method (CVE-2020-7656)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:4211", "url": "https://access.redhat.com/errata/RHSA-2020:4211" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.interconnect\u0026downloadType=distributions\u0026version=1.9.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.interconnect\u0026downloadType=distributions\u0026version=1.9.0" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_amq/", "url": "https://access.redhat.com/documentation/en-us/red_hat_amq/" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "1850119", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850119" }, { "category": "external", "summary": "ENTMQIC-2448", "url": "https://issues.redhat.com/browse/ENTMQIC-2448" }, { "category": "external", "summary": "ENTMQIC-2455", "url": "https://issues.redhat.com/browse/ENTMQIC-2455" }, { "category": "external", "summary": "ENTMQIC-2460", "url": "https://issues.redhat.com/browse/ENTMQIC-2460" }, { "category": "external", "summary": "ENTMQIC-2481", "url": "https://issues.redhat.com/browse/ENTMQIC-2481" }, { "category": "external", "summary": "ENTMQIC-2485", "url": "https://issues.redhat.com/browse/ENTMQIC-2485" }, { "category": "external", "summary": "ENTMQIC-2492", "url": "https://issues.redhat.com/browse/ENTMQIC-2492" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4211.json" } ], "title": "Red Hat Security Advisory: Red Hat AMQ Interconnect 1.9.0 release and security update", "tracking": { "current_release_date": "2024-11-15T09:37:23+00:00", "generator": { "date": "2024-11-15T09:37:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2020:4211", "initial_release_date": "2020-10-08T07:01:31+00:00", "revision_history": [ { "date": "2020-10-08T07:01:31+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-10-08T07:01:31+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T09:37:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat AMQ Interconnect 1", "product": { "name": "Red Hat AMQ Interconnect 1", "product_id": "7ComputeNode-RH7-A-MQ-Interconnect-1", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_interconnect:1::el7" } } }, { "category": "product_name", "name": "Red Hat AMQ Interconnect 1", "product": { "name": "Red Hat AMQ Interconnect 1", "product_id": "7Server-RH7-A-MQ-Interconnect-1", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_interconnect:1::el7" } } }, { "category": "product_name", "name": "Red Hat AMQ Interconnect 1", "product": { "name": "Red Hat AMQ Interconnect 1", "product_id": "7Workstation-RH7-A-MQ-Interconnect-1", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_interconnect:1::el7" } } }, { "category": "product_name", "name": "Red Hat AMQ Interconnect 1", "product": { "name": "Red Hat AMQ Interconnect 1", "product_id": "6ComputeNode-RH6-A-MQ-Interconnect-1", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_interconnect:1::el6" } } }, { "category": "product_name", "name": "Red Hat AMQ Interconnect 1", "product": { "name": "Red Hat AMQ Interconnect 1", "product_id": "6Server-RH6-A-MQ-Interconnect-1", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_interconnect:1::el6" } } }, { "category": "product_name", "name": "Red Hat AMQ Interconnect 1", "product": { "name": "Red Hat AMQ Interconnect 1", "product_id": "6Workstation-RH6-A-MQ-Interconnect-1", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_interconnect:1::el6" } } }, { "category": "product_name", "name": "Red Hat AMQ Interconnect 1", "product": { "name": "Red Hat AMQ Interconnect 1", "product_id": "8Base-A-MQ-Interconnect-1", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_interconnect:1::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss AMQ Interconnect" }, { "branches": [ { "category": "product_version", "name": "qpid-dispatch-0:1.13.0-3.el7.src", "product": { "name": "qpid-dispatch-0:1.13.0-3.el7.src", "product_id": "qpid-dispatch-0:1.13.0-3.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch@1.13.0-3.el7?arch=src" } } }, { "category": "product_version", "name": "qpid-dispatch-0:1.13.0-3.el6_10.src", "product": { "name": "qpid-dispatch-0:1.13.0-3.el6_10.src", "product_id": "qpid-dispatch-0:1.13.0-3.el6_10.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch@1.13.0-3.el6_10?arch=src" } } }, { "category": "product_version", "name": "qpid-dispatch-0:1.13.0-3.el8.src", "product": { "name": "qpid-dispatch-0:1.13.0-3.el8.src", "product_id": "qpid-dispatch-0:1.13.0-3.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch@1.13.0-3.el8?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "qpid-dispatch-console-0:1.13.0-3.el7.noarch", "product": { "name": "qpid-dispatch-console-0:1.13.0-3.el7.noarch", "product_id": "qpid-dispatch-console-0:1.13.0-3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-console@1.13.0-3.el7?arch=noarch" } } }, { "category": "product_version", "name": "qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "product": { "name": "qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "product_id": "qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-docs@1.13.0-3.el7?arch=noarch" } } }, { "category": "product_version", "name": "qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "product": { "name": "qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "product_id": "qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-tools@1.13.0-3.el7?arch=noarch" } } }, { "category": "product_version", "name": "qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "product": { "name": "qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "product_id": "qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-console@1.13.0-3.el6_10?arch=noarch" } } }, { "category": "product_version", "name": "qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "product": { "name": "qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "product_id": "qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-docs@1.13.0-3.el6_10?arch=noarch" } } }, { "category": "product_version", "name": "qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "product": { "name": "qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "product_id": "qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-tools@1.13.0-3.el6_10?arch=noarch" } } }, { "category": "product_version", "name": "qpid-dispatch-console-0:1.13.0-3.el8.noarch", "product": { "name": "qpid-dispatch-console-0:1.13.0-3.el8.noarch", "product_id": "qpid-dispatch-console-0:1.13.0-3.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-console@1.13.0-3.el8?arch=noarch" } } }, { "category": "product_version", "name": "qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "product": { "name": "qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "product_id": "qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-docs@1.13.0-3.el8?arch=noarch" } } }, { "category": "product_version", "name": "qpid-dispatch-tools-0:1.13.0-3.el8.noarch", "product": { "name": "qpid-dispatch-tools-0:1.13.0-3.el8.noarch", "product_id": "qpid-dispatch-tools-0:1.13.0-3.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-tools@1.13.0-3.el8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "product": { "name": "qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "product_id": "qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-router@1.13.0-3.el7?arch=x86_64" } } }, { "category": "product_version", "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "product": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "product_id": "qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-debuginfo@1.13.0-3.el7?arch=x86_64" } } }, { "category": "product_version", "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "product": { "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "product_id": "qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-router@1.13.0-3.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "product": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "product_id": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-debuginfo@1.13.0-3.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "product": { "name": "qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "product_id": "qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-router@1.13.0-3.el8?arch=x86_64" } } }, { "category": "product_version", "name": "qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "product": { "name": "qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "product_id": "qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-debugsource@1.13.0-3.el8?arch=x86_64" } } }, { "category": "product_version", "name": "qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "product": { "name": "qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "product_id": "qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-router-debuginfo@1.13.0-3.el8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "product": { "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "product_id": "qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-router@1.13.0-3.el6_10?arch=i686" } } }, { "category": "product_version", "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "product": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "product_id": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/qpid-dispatch-debuginfo@1.13.0-3.el6_10?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-0:1.13.0-3.el6_10.src as a component of Red Hat AMQ Interconnect 1", "product_id": "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src" }, "product_reference": "qpid-dispatch-0:1.13.0-3.el6_10.src", "relates_to_product_reference": "6ComputeNode-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-console-0:1.13.0-3.el6_10.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch" }, "product_reference": "qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "relates_to_product_reference": "6ComputeNode-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686 as a component of Red Hat AMQ Interconnect 1", "product_id": "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686" }, "product_reference": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "relates_to_product_reference": "6ComputeNode-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64" }, "product_reference": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "relates_to_product_reference": "6ComputeNode-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch" }, "product_reference": "qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "relates_to_product_reference": "6ComputeNode-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.i686 as a component of Red Hat AMQ Interconnect 1", "product_id": "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "relates_to_product_reference": "6ComputeNode-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "relates_to_product_reference": "6ComputeNode-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch" }, "product_reference": "qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "relates_to_product_reference": "6ComputeNode-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-0:1.13.0-3.el6_10.src as a component of Red Hat AMQ Interconnect 1", "product_id": "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src" }, "product_reference": "qpid-dispatch-0:1.13.0-3.el6_10.src", "relates_to_product_reference": "6Server-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-console-0:1.13.0-3.el6_10.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch" }, "product_reference": "qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "relates_to_product_reference": "6Server-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686 as a component of Red Hat AMQ Interconnect 1", "product_id": "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686" }, "product_reference": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "relates_to_product_reference": "6Server-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64" }, "product_reference": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "relates_to_product_reference": "6Server-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch" }, "product_reference": "qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "relates_to_product_reference": "6Server-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.i686 as a component of Red Hat AMQ Interconnect 1", "product_id": "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "relates_to_product_reference": "6Server-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "relates_to_product_reference": "6Server-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch" }, "product_reference": "qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "relates_to_product_reference": "6Server-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-0:1.13.0-3.el6_10.src as a component of Red Hat AMQ Interconnect 1", "product_id": "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src" }, "product_reference": "qpid-dispatch-0:1.13.0-3.el6_10.src", "relates_to_product_reference": "6Workstation-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-console-0:1.13.0-3.el6_10.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch" }, "product_reference": "qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "relates_to_product_reference": "6Workstation-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686 as a component of Red Hat AMQ Interconnect 1", "product_id": "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686" }, "product_reference": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "relates_to_product_reference": "6Workstation-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64" }, "product_reference": "qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "relates_to_product_reference": "6Workstation-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch" }, "product_reference": "qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "relates_to_product_reference": "6Workstation-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.i686 as a component of Red Hat AMQ Interconnect 1", "product_id": "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "relates_to_product_reference": "6Workstation-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "relates_to_product_reference": "6Workstation-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch" }, "product_reference": "qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "relates_to_product_reference": "6Workstation-RH6-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-0:1.13.0-3.el7.src as a component of Red Hat AMQ Interconnect 1", "product_id": "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src" }, "product_reference": "qpid-dispatch-0:1.13.0-3.el7.src", "relates_to_product_reference": "7ComputeNode-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-console-0:1.13.0-3.el7.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch" }, "product_reference": "qpid-dispatch-console-0:1.13.0-3.el7.noarch", "relates_to_product_reference": "7ComputeNode-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64" }, "product_reference": "qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "relates_to_product_reference": "7ComputeNode-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-docs-0:1.13.0-3.el7.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch" }, "product_reference": "qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "relates_to_product_reference": "7ComputeNode-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el7.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "relates_to_product_reference": "7ComputeNode-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-tools-0:1.13.0-3.el7.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch" }, "product_reference": "qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "relates_to_product_reference": "7ComputeNode-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-0:1.13.0-3.el7.src as a component of Red Hat AMQ Interconnect 1", "product_id": "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src" }, "product_reference": "qpid-dispatch-0:1.13.0-3.el7.src", "relates_to_product_reference": "7Server-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-console-0:1.13.0-3.el7.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch" }, "product_reference": "qpid-dispatch-console-0:1.13.0-3.el7.noarch", "relates_to_product_reference": "7Server-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64" }, "product_reference": "qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "relates_to_product_reference": "7Server-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-docs-0:1.13.0-3.el7.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch" }, "product_reference": "qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "relates_to_product_reference": "7Server-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el7.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "relates_to_product_reference": "7Server-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-tools-0:1.13.0-3.el7.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch" }, "product_reference": "qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "relates_to_product_reference": "7Server-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-0:1.13.0-3.el7.src as a component of Red Hat AMQ Interconnect 1", "product_id": "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src" }, "product_reference": "qpid-dispatch-0:1.13.0-3.el7.src", "relates_to_product_reference": "7Workstation-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-console-0:1.13.0-3.el7.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch" }, "product_reference": "qpid-dispatch-console-0:1.13.0-3.el7.noarch", "relates_to_product_reference": "7Workstation-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64" }, "product_reference": "qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "relates_to_product_reference": "7Workstation-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-docs-0:1.13.0-3.el7.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch" }, "product_reference": "qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "relates_to_product_reference": "7Workstation-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el7.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "relates_to_product_reference": "7Workstation-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-tools-0:1.13.0-3.el7.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch" }, "product_reference": "qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "relates_to_product_reference": "7Workstation-RH7-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-0:1.13.0-3.el8.src as a component of Red Hat AMQ Interconnect 1", "product_id": "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src" }, "product_reference": "qpid-dispatch-0:1.13.0-3.el8.src", "relates_to_product_reference": "8Base-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-console-0:1.13.0-3.el8.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch" }, "product_reference": "qpid-dispatch-console-0:1.13.0-3.el8.noarch", "relates_to_product_reference": "8Base-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64" }, "product_reference": "qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "relates_to_product_reference": "8Base-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-docs-0:1.13.0-3.el8.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch" }, "product_reference": "qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "relates_to_product_reference": "8Base-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-0:1.13.0-3.el8.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64" }, "product_reference": "qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "relates_to_product_reference": "8Base-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64 as a component of Red Hat AMQ Interconnect 1", "product_id": "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64" }, "product_reference": "qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "relates_to_product_reference": "8Base-A-MQ-Interconnect-1" }, { "category": "default_component_of", "full_product_name": { "name": "qpid-dispatch-tools-0:1.13.0-3.el8.noarch as a component of Red Hat AMQ Interconnect 1", "product_id": "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" }, "product_reference": "qpid-dispatch-tools-0:1.13.0-3.el8.noarch", "relates_to_product_reference": "8Base-A-MQ-Interconnect-1" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-7656", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850119" } ], "notes": [ { "category": "description", "text": "A flaw was found in jquery in versions prior to 1.9.0. A cross-site scripting attack is possible as the load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character which results in the enclosed script logic to be executed. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting (XSS) via \u003cscript\u003e HTML tags containing whitespaces", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 6, 7 and 8 ship a vulnerable version of JQuery in the `pcs` component. However the vulnerable has not been found to be exploitable in reasonable scenarios. A future update may update JQuery to a fixed version.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src", "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-7656" }, { "category": "external", "summary": "RHBZ#1850119", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850119" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7656", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7656" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7656", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7656" } ], "release_date": "2020-05-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-10-08T07:01:31+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src", "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:4211" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src", "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Cross-site scripting (XSS) via \u003cscript\u003e HTML tags containing whitespaces" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src", "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-10-08T07:01:31+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src", "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:4211" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src", "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src", "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-10-08T07:01:31+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src", "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:4211" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6ComputeNode-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Server-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el6_10.src", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el6_10.noarch", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.i686", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el6_10.x86_64", "6Workstation-RH6-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el6_10.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7ComputeNode-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Server-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el7.src", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-debuginfo-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el7.noarch", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el7.x86_64", "7Workstation-RH7-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el7.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-0:1.13.0-3.el8.src", "8Base-A-MQ-Interconnect-1:qpid-dispatch-console-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-debugsource-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-docs-0:1.13.0-3.el8.noarch", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-router-debuginfo-0:1.13.0-3.el8.x86_64", "8Base-A-MQ-Interconnect-1:qpid-dispatch-tools-0:1.13.0-3.el8.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" } ] }
rhsa-2021_4142
Vulnerability from csaf_redhat
Published
2021-11-09 17:49
Modified
2024-11-15 09:43
Summary
Red Hat Security Advisory: pcs security, bug fix, and enhancement update
Notes
Topic
An update for pcs is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
The following packages have been upgraded to a later upstream version: pcs (0.10.10). (BZ#1935594)
Security Fix(es):
* jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces (CVE-2020-7656)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for pcs is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nThe following packages have been upgraded to a later upstream version: pcs (0.10.10). (BZ#1935594)\n\nSecurity Fix(es):\n\n* jquery: Cross-site scripting (XSS) via \u003cscript\u003e HTML tags containing whitespaces (CVE-2020-7656)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods (CVE-2020-11023)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:4142", "url": "https://access.redhat.com/errata/RHSA-2021:4142" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/" }, { "category": "external", "summary": "1290830", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1290830" }, { "category": "external", "summary": "1432097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432097" }, { "category": "external", "summary": "1678273", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1678273" }, { "category": "external", "summary": "1690419", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1690419" }, { "category": "external", "summary": "1720221", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720221" }, { "category": "external", "summary": "1759995", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1759995" }, { "category": "external", "summary": "1841019", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1841019" }, { "category": "external", "summary": "1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "1850119", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850119" }, { "category": "external", "summary": "1854238", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854238" }, { "category": "external", "summary": "1872378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1872378" }, { "category": "external", "summary": "1885293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885293" }, { "category": "external", "summary": "1885302", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885302" }, { "category": "external", "summary": "1896458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1896458" }, { "category": "external", "summary": "1909901", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1909901" }, { "category": "external", "summary": "1922996", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922996" }, { "category": "external", "summary": "1927384", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927384" }, { "category": "external", "summary": "1927394", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927394" }, { "category": "external", "summary": "1930886", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930886" }, { "category": "external", "summary": "1935594", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935594" }, { "category": "external", "summary": "1984901", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1984901" }, { "category": "external", "summary": "1991654", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991654" }, { "category": "external", "summary": "1992668", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992668" }, { "category": "external", "summary": "1998454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1998454" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4142.json" } ], "title": "Red Hat Security Advisory: pcs security, bug fix, and enhancement update", "tracking": { "current_release_date": "2024-11-15T09:43:03+00:00", "generator": { "date": "2024-11-15T09:43:03+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:4142", "initial_release_date": "2021-11-09T17:49:34+00:00", "revision_history": [ { "date": "2021-11-09T17:49:34+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-11-09T17:49:34+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T09:43:03+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux High Availability (v. 8)", "product": { "name": "Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::highavailability" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Resilient Storage (v. 8)", "product": { "name": "Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::resilientstorage" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "pcs-0:0.10.10-4.el8.src", "product": { "name": "pcs-0:0.10.10-4.el8.src", "product_id": "pcs-0:0.10.10-4.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcs@0.10.10-4.el8?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "pcs-0:0.10.10-4.el8.aarch64", "product": { "name": "pcs-0:0.10.10-4.el8.aarch64", "product_id": "pcs-0:0.10.10-4.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcs@0.10.10-4.el8?arch=aarch64" } } }, { "category": "product_version", "name": "pcs-snmp-0:0.10.10-4.el8.aarch64", "product": { "name": "pcs-snmp-0:0.10.10-4.el8.aarch64", "product_id": "pcs-snmp-0:0.10.10-4.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcs-snmp@0.10.10-4.el8?arch=aarch64" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "pcs-0:0.10.10-4.el8.ppc64le", "product": { "name": "pcs-0:0.10.10-4.el8.ppc64le", "product_id": "pcs-0:0.10.10-4.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcs@0.10.10-4.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "pcs-snmp-0:0.10.10-4.el8.ppc64le", "product": { "name": "pcs-snmp-0:0.10.10-4.el8.ppc64le", "product_id": "pcs-snmp-0:0.10.10-4.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcs-snmp@0.10.10-4.el8?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "pcs-0:0.10.10-4.el8.x86_64", "product": { "name": "pcs-0:0.10.10-4.el8.x86_64", "product_id": "pcs-0:0.10.10-4.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcs@0.10.10-4.el8?arch=x86_64" } } }, { "category": "product_version", "name": "pcs-snmp-0:0.10.10-4.el8.x86_64", "product": { "name": "pcs-snmp-0:0.10.10-4.el8.x86_64", "product_id": "pcs-snmp-0:0.10.10-4.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcs-snmp@0.10.10-4.el8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "pcs-0:0.10.10-4.el8.s390x", "product": { "name": "pcs-0:0.10.10-4.el8.s390x", "product_id": "pcs-0:0.10.10-4.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcs@0.10.10-4.el8?arch=s390x" } } }, { "category": "product_version", "name": "pcs-snmp-0:0.10.10-4.el8.s390x", "product": { "name": "pcs-snmp-0:0.10.10-4.el8.s390x", "product_id": "pcs-snmp-0:0.10.10-4.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcs-snmp@0.10.10-4.el8?arch=s390x" } } } ], "category": "architecture", "name": "s390x" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.aarch64 as a component of Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64" }, "product_reference": "pcs-0:0.10.10-4.el8.aarch64", "relates_to_product_reference": "HighAvailability-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.ppc64le as a component of Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le" }, "product_reference": "pcs-0:0.10.10-4.el8.ppc64le", "relates_to_product_reference": "HighAvailability-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.s390x as a component of Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x" }, "product_reference": "pcs-0:0.10.10-4.el8.s390x", "relates_to_product_reference": "HighAvailability-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.src as a component of Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src" }, "product_reference": "pcs-0:0.10.10-4.el8.src", "relates_to_product_reference": "HighAvailability-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64" }, "product_reference": "pcs-0:0.10.10-4.el8.x86_64", "relates_to_product_reference": "HighAvailability-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-snmp-0:0.10.10-4.el8.aarch64 as a component of Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64" }, "product_reference": "pcs-snmp-0:0.10.10-4.el8.aarch64", "relates_to_product_reference": "HighAvailability-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-snmp-0:0.10.10-4.el8.ppc64le as a component of Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le" }, "product_reference": "pcs-snmp-0:0.10.10-4.el8.ppc64le", "relates_to_product_reference": "HighAvailability-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-snmp-0:0.10.10-4.el8.s390x as a component of Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x" }, "product_reference": "pcs-snmp-0:0.10.10-4.el8.s390x", "relates_to_product_reference": "HighAvailability-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-snmp-0:0.10.10-4.el8.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 8)", "product_id": "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" }, "product_reference": "pcs-snmp-0:0.10.10-4.el8.x86_64", "relates_to_product_reference": "HighAvailability-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64" }, "product_reference": "pcs-0:0.10.10-4.el8.aarch64", "relates_to_product_reference": "ResilientStorage-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le" }, "product_reference": "pcs-0:0.10.10-4.el8.ppc64le", "relates_to_product_reference": "ResilientStorage-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.s390x as a component of Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x" }, "product_reference": "pcs-0:0.10.10-4.el8.s390x", "relates_to_product_reference": "ResilientStorage-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.src as a component of Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src" }, "product_reference": "pcs-0:0.10.10-4.el8.src", "relates_to_product_reference": "ResilientStorage-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-0:0.10.10-4.el8.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64" }, "product_reference": "pcs-0:0.10.10-4.el8.x86_64", "relates_to_product_reference": "ResilientStorage-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-snmp-0:0.10.10-4.el8.aarch64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64" }, "product_reference": "pcs-snmp-0:0.10.10-4.el8.aarch64", "relates_to_product_reference": "ResilientStorage-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-snmp-0:0.10.10-4.el8.ppc64le as a component of Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le" }, "product_reference": "pcs-snmp-0:0.10.10-4.el8.ppc64le", "relates_to_product_reference": "ResilientStorage-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-snmp-0:0.10.10-4.el8.s390x as a component of Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x" }, "product_reference": "pcs-snmp-0:0.10.10-4.el8.s390x", "relates_to_product_reference": "ResilientStorage-8.5.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "pcs-snmp-0:0.10.10-4.el8.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 8)", "product_id": "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" }, "product_reference": "pcs-snmp-0:0.10.10-4.el8.x86_64", "relates_to_product_reference": "ResilientStorage-8.5.0.GA" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-09T17:49:34+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4142" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-7656", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850119" } ], "notes": [ { "category": "description", "text": "A flaw was found in jquery in versions prior to 1.9.0. A cross-site scripting attack is possible as the load method fails to recognize and remove \"\u003cscript\u003e\" HTML tags that contain a whitespace character which results in the enclosed script logic to be executed. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting (XSS) via \u003cscript\u003e HTML tags containing whitespaces", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 6, 7 and 8 ship a vulnerable version of JQuery in the `pcs` component. However the vulnerable has not been found to be exploitable in reasonable scenarios. A future update may update JQuery to a fixed version.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-7656" }, { "category": "external", "summary": "RHBZ#1850119", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850119" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7656", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7656" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7656", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7656" } ], "release_date": "2020-05-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-09T17:49:34+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4142" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Cross-site scripting (XSS) via \u003cscript\u003e HTML tags containing whitespaces" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-09T17:49:34+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4142" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "HighAvailability-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "HighAvailability-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.src", "ResilientStorage-8.5.0.GA:pcs-0:0.10.10-4.el8.x86_64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.aarch64", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.ppc64le", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.s390x", "ResilientStorage-8.5.0.GA:pcs-snmp-0:0.10.10-4.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" } ] }
ghsa-q4m3-2j7h-f7xw
Vulnerability from github
Published
2020-05-20 16:18
Modified
2024-10-10 16:17
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Summary
Cross-Site Scripting in jquery
Details
Versions of jquery
prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script>
HTML tags that contain a whitespace character, i.e: </script >
, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.
Recommendation
Upgrade to version 1.9.0 or later.
{ "affected": [ { "package": { "ecosystem": "npm", "name": "jquery" }, "ranges": [ { "events": [ { "introduced": "1.2.1" }, { "fixed": "1.9.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "jQuery" }, "ranges": [ { "events": [ { "introduced": "1.2.1" }, { "fixed": "1.9.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "RubyGems", "name": "jquery-rails" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.2.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.webjars.npm:jquery" }, "ranges": [ { "events": [ { "introduced": "1.2.1" }, { "fixed": "1.9.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-7656" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-05-20T16:17:45Z", "nvd_published_at": "2020-05-19T21:15:00Z", "severity": "MODERATE" }, "details": "Versions of `jquery` prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove `\u003cscript\u003e` HTML tags that contain a whitespace character, i.e: `\u003c/script \u003e`, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim\u0027s browser.\n\n\n## Recommendation\n\nUpgrade to version 1.9.0 or later.", "id": "GHSA-q4m3-2j7h-f7xw", "modified": "2024-10-10T16:17:32Z", "published": "2020-05-20T16:18:01Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7656" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/606b863edaff29035960e4d813b45d63b8d92876" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/blob/9e6393b0bcb52b15313f88141d0bd7dd54227426/src/ajax.js#L203" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#220-19-january-2013" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L7481" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-7656.yml" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200528-0001" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619" }, { "type": "WEB", "url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "type": "CVSS_V4" } ], "summary": "Cross-Site Scripting in jquery" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.