Описание
In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."
A flaw was found in DOMPurify. This vulnerability allows arbitrary file deletion via crafted input.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 3 | io.cryostat-cryostat3 | Affected | ||
| Cryostat 4 | io.cryostat-cryostat | Not affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-console-plugin-rhel9 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Not affected | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-console-plugin-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-api-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-api-rhel9 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-db-migration-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-db-migration-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."
In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."
In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ...
In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory.
EPSS
7.5 High
CVSS3