Описание
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Меры по смягчению последствий
There's no known mitigation for this issue. Red Hat recommends to not parse untrusted CSS input using PostCSS.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 3 | io.cryostat-cryostat3 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-view-plugin-rhel9 | Affected | ||
| Migration Toolkit for Applications 7 | mta/mta-cli-rhel9 | Fix deferred | ||
| Migration Toolkit for Applications 7 | mta/mta-ui-rhel9 | Fix deferred | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-ui-rhel8 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-console-plugin-rhel9 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Will not fix | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Not affected | ||
| Node HealthCheck Operator | workload-availability/node-remediation-console-rhel8 | Will not fix |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
An issue was discovered in PostCSS before 8.4.31. The vulnerability af ...
EPSS
5.3 Medium
CVSS3