Описание
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.
It was found that xterm.js does not sanitize terminal escape sequences in browser terminals allowing for execution of arbitrary commands. An attacker could exploit this by convincing a user with a xterm.js browser terminal to display an escape sequence by, for example, reading a from a log file containing attacker-controlled input.
Отчет
This issue affects both the atomic-openshift-web-console RPM and openshift3/ose-console container image shipped in OpenShift Container Platform. These components provide a web console for opening in-browser terminals in cluster pods. Successful exploitation of this issue would require an attacker to convince an authorized user to open an in-browser terminal on a target pod and execute a command that prints attacker-controlled input. Red Hat Product Security have rated this issue as having security impact of Moderate. A future update may address this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift4/ose-console | Not affected | ||
| Red Hat OpenShift Container Platform 3.10 | atomic-openshift-web-console | Fixed | RHSA-2019:2552 | 22.08.2019 |
| Red Hat OpenShift Container Platform 3.11 | openshift3/apb-base | Fixed | RHBA-2019:0959 | 01.05.2019 |
| Red Hat OpenShift Container Platform 3.11 | openshift3/apb-tools | Fixed | RHBA-2019:0959 | 01.05.2019 |
| Red Hat OpenShift Container Platform 3.11 | openshift3/automation-broker-apb | Fixed | RHBA-2019:0959 | 01.05.2019 |
| Red Hat OpenShift Container Platform 3.11 | openshift3/csi-attacher | Fixed | RHBA-2019:0959 | 01.05.2019 |
| Red Hat OpenShift Container Platform 3.11 | openshift3/csi-driver-registrar | Fixed | RHBA-2019:0959 | 01.05.2019 |
| Red Hat OpenShift Container Platform 3.11 | openshift3/csi-livenessprobe | Fixed | RHBA-2019:0959 | 01.05.2019 |
| Red Hat OpenShift Container Platform 3.11 | openshift3/csi-provisioner | Fixed | RHBA-2019:0959 | 01.05.2019 |
| Red Hat OpenShift Container Platform 3.11 | openshift3/grafana | Fixed | RHBA-2019:0959 | 01.05.2019 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.
A remote code execution vulnerability exists in Xterm.js when the comp ...
Уязвимость библиотеки Xterm.js, связанная с отсутствием мер по очистке входных данных, позволяющая нарушителю выполнить произвольный код
7.5 High
CVSS3