Описание
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
An arbitrary code injection vulnerability was found in nodejs-xmlhttprequest. For this vulnerability to occur, the connection must be initialized during the function call XMLHttpRequest.open to send requests synchronously using the parameter async=False. If the subsequent calls to xhr.send functions are with user-controllable input, this flaw allows an attacker to execute arbitrary code. If the xhr.send function is called on the server on behalf of a user, this allows execution on the Node.js server using the privileges of the Node.js process. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Отчет
While the OpenShift ServiceMesh (OSSM) grafana-container source does have a vulnerable version of the nodejs-xmlhttprequest, it does not bundle or use the library in the released product. Therefore, the container has been marked not affected.
For the OpenShift Container Platform (OCP), the grafana-container for OCP 4.5 is already using a non-affected version of xmlhttprequest (v1.8.0). Later versions of the container (4.6+) don't include xmlhttprequest.
For Red Hat Advanced Cluster Management for Kubernetes (RHACM), the different components using xmlhttprequest is already using a non-affected version (v1.8.0). Therefore, all supported RHACM versions have been marked not affected.
For Red Hat Ceph Storage (RHCS) 3 and 4 the grafana-container is already using a non-affected version of xmlhttprequest (v1.8.0).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 1 | servicemesh-grafana | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | xmlhttprequest | Not affected | ||
| Red Hat Ceph Storage 3 | nodejs-xmlhttprequest | Not affected | ||
| Red Hat Ceph Storage 4 | nodejs-xmlhttprequest | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-grafana | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-presto | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
This affects the package xmlhttprequest before 1.7.0; all versions of ...
xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection
8.1 High
CVSS3