Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-20066

Опубликовано: 16 фев. 2021
Источник: redhat
CVSS3: 5.6
EPSS Низкий

Описание

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

A flaw was found in jsdom. JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

Отчет

For an application which includes jsdom to be vulnerable to this CVE, it must at least enable the loading of resources using something similar to: new JSDOM(html, {resources: "usable"}, where html is un-trusted input. Furthermore, scripts can be executed by extending the options similar to: new JSDOM(html, {resources: "usable", runScripts: "dangerously"}. [1] OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) both include components that package a vulnerable version of jsdom. However, none of the components directly enable the loading of resources via resources: "usable" and most components only include jsdom for use in tests. Hence for OCP and OSSM the affects are rated to have a Low impact and are wontfix at this time and might be fixed in a future release. [1] https://github.com/jsdom/jsdom#loading-subresources

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 2.0kialiNot affected
OpenShift Service Mesh 2.0servicemesh-grafanaWill not fix
OpenShift Service Mesh 2.0servicemesh-prometheusWill not fix
Red Hat Advanced Cluster Management for Kubernetes 2search-apiNot affected
Red Hat OpenShift Container Platform 4openshift4/ose-grafanaWill not fix
Red Hat OpenShift Container Platform 4openshift4/ose-prometheusWill not fix
Red Hat OpenShift Container Platform 4openshift4/ose-thanos-rhel8Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-862
https://bugzilla.redhat.com/show_bug.cgi?id=1930915jsdom: improper loading of local resources

EPSS

Процентиль: 59%
0.00378
Низкий

5.6 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-20066

CVSS3: 5.6
ubuntu
почти 5 лет назад

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

nvd логотип

CVE-2021-20066

CVSS3: 5.6
nvd
почти 5 лет назад

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

debian логотип

CVE-2021-20066

CVSS3: 5.6
debian
почти 5 лет назад

JSDom improperly allows the loading of local resources, which allows f ...

github логотип

GHSA-f4c9-cqv8-9v98

github
больше 3 лет назад

Withdrawn Advisory: Insufficient Granularity of Access Control in JSDom

EPSS

Процентиль: 59%
0.00378
Низкий

5.6 Medium

CVSS3