Sign-up

ID

VAR-201902-0360


CVE

CVE-2019-8331


TITLE

Red Hat Security Advisory 2023-0554-01

Trust: 0.1

sources: PACKETSTORM: 170819

DESCRIPTION

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. Bootstrap is an open source web front-end framework developed using HTML, CSS and JavaScript. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. JIRA issues fixed (https://issues.jboss.org/): JBEAP-23864 - (7.4.z) Upgrade xmlsec from 2.1.7.redhat-00001 to 2.2.3.redhat-00001 JBEAP-23865 - [GSS](7.4.z) Upgrade Apache CXF from 3.3.13.redhat-00001 to 3.4.10.redhat-00001 JBEAP-23866 - (7.4.z) Upgrade wss4j from 2.2.7.redhat-00001 to 2.3.3.redhat-00001 JBEAP-23928 - Tracker bug for the EAP 7.4.9 release for RHEL-9 JBEAP-24055 - (7.4.z) Upgrade HAL from 3.3.15.Final-redhat-00001 to 3.3.16.Final-redhat-00001 JBEAP-24081 - (7.4.z) Upgrade Elytron from 1.15.14.Final-redhat-00001 to 1.15.15.Final-redhat-00001 JBEAP-24095 - (7.4.z) Upgrade elytron-web from 1.9.2.Final-redhat-00001 to 1.9.3.Final-redhat-00001 JBEAP-24100 - [GSS](7.4.z) Upgrade Undertow from 2.2.20.SP1-redhat-00001 to 2.2.22.SP3-redhat-00001 JBEAP-24127 - (7.4.z) UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value JBEAP-24128 - (7.4.z) Upgrade Hibernate Search from 5.10.7.Final-redhat-00001 to 5.10.13.Final-redhat-00001 JBEAP-24132 - [GSS](7.4.z) Upgrade Ironjacamar from 1.5.3.SP2-redhat-00001 to 1.5.10.Final-redhat-00001 JBEAP-24147 - (7.4.z) Upgrade jboss-ejb-client from 4.0.45.Final-redhat-00001 to 4.0.49.Final-redhat-00001 JBEAP-24167 - (7.4.z) Upgrade WildFly Core from 15.0.19.Final-redhat-00001 to 15.0.21.Final-redhat-00002 JBEAP-24191 - [GSS](7.4.z) Upgrade remoting from 5.0.26.SP1-redhat-00001 to 5.0.27.Final-redhat-00001 JBEAP-24195 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP06-redhat-00001 to 3.0.0.SP07-redhat-00001 JBEAP-24207 - (7.4.z) Upgrade Soteria from 1.0.1.redhat-00002 to 1.0.1.redhat-00003 JBEAP-24248 - (7.4.z) ELY-2492 - Upgrade sshd-common in Elytron from 2.7.0 to 2.9.2 JBEAP-24426 - (7.4.z) Upgrade Elytron from 1.15.15.Final-redhat-00001 to 1.15.16.Final-redhat-00001 JBEAP-24427 - (7.4.z) Upgrade WildFly Core from 15.0.21.Final-redhat-00002 to 15.0.22.Final-redhat-00001 7. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse 7.11.1 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute 1991305 - CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users 2055496 - CVE-2022-0613 urijs: Authorization Bypass Through User-Controlled Key 2062370 - CVE-2022-24723 urijs: Leading white space bypasses protocol validation 2066009 - CVE-2021-44906 minimist: prototype pollution 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data 2095862 - CVE-2022-2053 undertow: Large AJP request may cause DoS 2102695 - CVE-2021-31684 json-smart: Denial of Service in JSONParserByteArray function 2105067 - CVE-2022-33980 apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections 2129428 - CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names 2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE 2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update Advisory ID: RHSA-2020:4670-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4670 Issue date: 2020-11-03 CVE Names: CVE-2015-9251 CVE-2016-10735 CVE-2018-14040 CVE-2018-14042 CVE-2018-20676 CVE-2018-20677 CVE-2019-8331 CVE-2019-11358 CVE-2020-1722 CVE-2020-11022 ==================================================================== 1. Summary: An update for the idm:DL1 and idm:client modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. The following packages have been upgraded to a later upstream version: ipa (4.8.7), softhsm (2.6.0), opendnssec (2.1.6). (BZ#1759888, BZ#1818765, BZ#1818877) Security Fix(es): * js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251) * bootstrap: XSS in the data-target attribute (CVE-2016-10735) * bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040) * bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042) * bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676) * bootstrap: XSS in the affix configuration target property (CVE-2018-20677) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * js-jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * ipa: No password length restriction leads to denial of service (CVE-2020-1722) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1399546 - CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests 1430365 - [RFE] Host-group names command rename 1488732 - fake_mname in named.conf is no longer effective 1585020 - Enable compat tree to provide information about AD users and groups on trust agents 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip 1651577 - [WebUI] IPA Error 3007: RequirmentError" while adding members in "User ID overrides" tab 1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute 1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute 1701233 - [RFE] support setting supported signature methods on the token 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection 1746830 - Memory leak during search of idview overrides 1750893 - Memory leak when slapi-nis return entries retrieved from nsswitch 1751295 - When sync-repl is enabled, slapi-nis can deadlock during retrochanglog trimming 1757045 - IDM Web GUI / IPA web UI: the ID override operation doesn't work in GUI (it works only from CLI) 1759888 - Rebase OpenDNSSEC to 2.1 1768156 - ERR - schemacompat - map rdlock: old way MAP_MONITOR_DISABLED 1777806 - When Service weight is set as 0 for server in IPA location "IPA Error 903: InternalError" is displayed 1793071 - CVE-2020-1722 ipa: No password length restriction leads to denial of service 1801698 - [RFE] Changing default hostgroup is too easy 1802471 - SELinux policy for ipa-custodia 1809835 - RFE: ipa group-add-member: number of failed should also be emphasized 1810154 - RFE: ipa-backup should compare locally and globally installed server roles 1810179 - ipa-client-install should name authselect backups and restore to that at uninstall time 1813330 - ipa-restore does not restart httpd 1816784 - KRA install fails if all KRA members are Hidden Replicas 1818765 - [Rebase] Rebase ipa to 4.8.6+ 1818877 - [Rebase] Rebase to softhsm 2.6.0+ 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1831732 - AVC avc: denied { dac_override } for comm="ods-enforcerd 1831935 - AD authentication with IdM against SQL Server 1832331 - [abrt] [faf] 389-ds-base: unknown function(): /usr/sbin/ns-slapd killed by 11 1833266 - [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings 1834264 - BIND rebase: rebuild against new so version 1834909 - softhsm use-after-free on process exit 1845211 - Rebase bind-dyndb-ldap to 11.3 1845537 - IPA bind configuration issue 1845596 - ipa trust-add fails with 'Fetching domains from trusted forest failed' 1846352 - cannot issue certs with multiple IP addresses corresponding to different hosts 1846434 - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 1847999 - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn 1849914 - FreeIPA - Utilize 256-bit AJP connector passwords 1851411 - ipa: typo issue in ipanthomedirectoryrive deffinition 1852244 - ipa-healthcheck inadvertently obsoleted in RHEL 8.2 1853263 - ipa-selinux package missing 1857157 - replica install failing with avc denial for custodia component 1858318 - AttributeError: module 'ssl' has no attribute 'SSLCertVerificationError' when upgrading ca-less ipa master 1859213 - AVC denial during ipa-adtrust-install --add-agents 1863079 - ipa-epn command displays 'exception: ConnectionRefusedError: [Errno 111] Connection refused' 1863616 - CA-less install does not set required permissions on KDC certificate 1866291 - EPN: enhance input validation 1866938 - ipa-epn fails to retrieve user data if some user attributes are not present 1868432 - Unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key' 1869311 - ipa trust-add fails with 'Fetching domains from trusted forest failed' 1870202 - File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less 1874015 - ipa hbacrule-add-service --hbacsvcs=sshd is not applied successfully for subdomain 1875348 - Valgrind reports a memory leak in the Schema Compatibility plugin. 1879604 - pkispawn logs files are empty 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.src.rpm custodia-0.6.0-3.module+el8.1.0+4098+f286395e.src.rpm ipa-4.8.7-12.module+el8.3.0+8222+c1bff54a.src.rpm ipa-4.8.7-12.module+el8.3.0+8223+6212645f.src.rpm ipa-healthcheck-0.4-6.module+el8.3.0+7710+e2408ce4.src.rpm ipa-healthcheck-0.4-6.module+el8.3.0+7711+c4441980.src.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.src.rpm python-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.src.rpm python-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.src.rpm python-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.src.rpm python-qrcode-5.1-12.module+el8.1.0+4098+f286395e.src.rpm python-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.src.rpm python-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.src.rpm python-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.src.rpm pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.src.rpm pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.src.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.src.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.src.rpm aarch64: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.aarch64.rpm bind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.aarch64.rpm bind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.aarch64.rpm ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.aarch64.rpm opendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.aarch64.rpm opendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.aarch64.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.aarch64.rpm slapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.aarch64.rpm slapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.aarch64.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm softhsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm softhsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm softhsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm noarch: custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-client-common-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-common-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm ipa-healthcheck-0.4-6.module+el8.3.0+7710+e2408ce4.noarch.rpm ipa-healthcheck-core-0.4-6.module+el8.3.0+7710+e2408ce4.noarch.rpm ipa-healthcheck-core-0.4-6.module+el8.3.0+7711+c4441980.noarch.rpm ipa-python-compat-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-python-compat-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-selinux-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-server-dns-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm python3-custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm python3-ipaclient-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm python3-ipalib-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm python3-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.noarch.rpm python3-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.noarch.rpm python3-pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.noarch.rpm python3-pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-qrcode-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm python3-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-qrcode-core-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm python3-qrcode-core-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.noarch.rpm python3-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.noarch.rpm ppc64le: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.ppc64le.rpm bind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.ppc64le.rpm bind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.ppc64le.rpm ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.ppc64le.rpm opendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.ppc64le.rpm opendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.ppc64le.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.ppc64le.rpm slapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.ppc64le.rpm slapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.ppc64le.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm softhsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm softhsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm softhsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm s390x: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.s390x.rpm bind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.s390x.rpm bind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.s390x.rpm ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.s390x.rpm opendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.s390x.rpm opendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.s390x.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.s390x.rpm slapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.s390x.rpm slapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.s390x.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm softhsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm softhsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm softhsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm x86_64: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.x86_64.rpm bind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.x86_64.rpm bind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.x86_64.rpm ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64.rpm opendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64.rpm opendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.x86_64.rpm slapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.x86_64.rpm slapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.x86_64.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm softhsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm softhsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm softhsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-9251 https://access.redhat.com/security/cve/CVE-2016-10735 https://access.redhat.com/security/cve/CVE-2018-14040 https://access.redhat.com/security/cve/CVE-2018-14042 https://access.redhat.com/security/cve/CVE-2018-20676 https://access.redhat.com/security/cve/CVE-2018-20677 https://access.redhat.com/security/cve/CVE-2019-8331 https://access.redhat.com/security/cve/CVE-2019-11358 https://access.redhat.com/security/cve/CVE-2020-1722 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6I0xtzjgjWX9erEAQioFw/+IiVoE8tPMkiNgSNrk05OezzG/Cev8wXY mTJ+clSxujruzDZ1GyYz5Ua5v4+fwEHbTKVHiite3HKbYGgV9E5H9Y/JVR75rbPN mIfAOLmvYDp3JeHT3RBqRrtviz2UaWRTmE8E30EoC0C912w0NHpwS3fhuRmJov1X lflTtWlQCuPE/7yFQEZqYYjmKMqAVeDk4K6smM/aTzMyM+uFgaksiSTrLzU0mcHJ AAn9h59qlwUXNGRbyBCoLMJrKq5Sw1+xz518XIIjJOQDJbSqu8syzKgi/qSFuLRp 2c/OSKJ98CVoiCcyhsBW/c3B6eoDmSfeKqt6JwVH/Sva+d7Oj5vpWTB5GW4hDFFh t3cuhvyavPnyAzxRnYw5syn/RTyjaOK1U6+6SbEtJVnlx9+FW0lKs/Pcx2ocYmfO UCDXHgxmEP8DTKwJZyIZtybVkpqbXh6jf69NLROTTZMtEwJzE1NGG4ulcl6tutTq S0gchuiUuxItZlD3a9ISBXXxV0iqqd7I5p78maohzIwfyZR13S++rFt7JnoVb7SO DECfEs6VinGH0Z0YInceF6Y9N+SURBrcQpQK12/wtGSChFFU83FII2sxy6iG7pTF HPTzByu+aYgFpuEF4EKSrDlZCVJ8Es5lyp+cF401o3oGJuNo9WYScKjb51a0+SLJ zbmM3GoiGZI=QyyK -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description: python-XStatic-Bootstrap-SCSS is the Bootstrap-SCSS JavaScript library packaged for setuptools / pip. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). OctoberCMS is a CMS similar to WordPress, but with much less “fluff”. SECURELI.com's team identified the latest version of OctoberCMS relying on Bootstrap 3.3.7, jQuery 1.11.1, and jQuery 3.3.1. All of these dependencies are vulnerable. -------------------------------------------------- /october/themes/demo/assets/vendor/bootstrap.js bootstrap 3.3.7 has known vulnerabilities severity: high issue: 28236 summary: XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331 https://github.com/twbs/bootstrap/issues/28236 severity: medium issue: 20184 summary: XSS in data-target property of scrollspy CVE-2018-14041 https://github.com/twbs/bootstrap/issues/20184 severity: medium issue: 20184 summary: XSS in collapse data-parent attribute CVE-2018-14040 https://github.com/twbs/bootstrap/issues/20184 severity: medium issue: 20184 summary: XSS in data-container property of tooltip CVE-2018-14042 https://github.com/twbs/bootstrap/issues/20184 -------------------------------------------------- /october/themes/demo/assets/vendor/jquery.js jquery 1.11.1 has known vulnerabilities severity: medium issue: 2432 summary: 3rd party CORS request may execute CVE-2015-9251 https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium CVE-2015-9251 issue: 11974 summary: parseHTML() executes scripts in event handlers https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low CVE-2019-11358 summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b -------------------------------------------------- /october/modules/backend/assets/js/vendor/jquery-and-migrate.min.js jquery 3.3.1 has known vulnerabilities severity: low CVE-2019-11358 summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b All of these vulnerabilities were identified using RetireJS (https://retirejs.github.io/retire.js/), which identifies open source dependency vulnerabilities. Research provided by SECURELI.com

Trust: 1.71

sources: NVD: CVE-2019-8331 // VULHUB: VHN-159766 // PACKETSTORM: 170819 // PACKETSTORM: 170823 // PACKETSTORM: 170042 // PACKETSTORM: 170154 // PACKETSTORM: 159876 // PACKETSTORM: 160568 // PACKETSTORM: 153255 // PACKETSTORM: 156743

AFFECTED PRODUCTS

vendor:getbootstrapmodel:bootstrapscope:gteversion:4.3.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:redhatmodel:virtualization managerscope:eqversion:4.3

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:ltversion:14.1.2.5

Trust: 1.0

vendor:getbootstrapmodel:bootstrapscope:ltversion:4.3.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:14.1.2.5

Trust: 1.0

vendor:getbootstrapmodel:bootstrapscope:ltversion:3.4.1

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:14.1.2.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip edge gatewayscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:12.1.5.1

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip webacceleratorscope:ltversion:13.1.3.4

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.0.0

Trust: 1.0

vendor:tenablemodel:tenable.scscope:ltversion:5.19.0

Trust: 1.0

sources: NVD: CVE-2019-8331

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-8331
value: MEDIUM

Trust: 1.0

VULHUB: VHN-159766
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-8331
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-159766
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-8331
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-159766 // NVD: CVE-2019-8331

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

sources: VULHUB: VHN-159766 // NVD: CVE-2019-8331

THREAT TYPE

remote

Trust: 0.1

sources: PACKETSTORM: 170042

TYPE

code execution, xss

Trust: 0.3

sources: PACKETSTORM: 170819 // PACKETSTORM: 170823 // PACKETSTORM: 153255

EXTERNAL IDS

db:NVDid:CVE-2019-8331

Trust: 1.9

db:PACKETSTORMid:156743

Trust: 1.2

db:BIDid:107375

Trust: 1.1

db:TENABLEid:TNS-2021-14

Trust: 1.1

db:PACKETSTORMid:170823

Trust: 0.2

db:PACKETSTORMid:159876

Trust: 0.2

db:PACKETSTORMid:160568

Trust: 0.2

db:PACKETSTORMid:170819

Trust: 0.2

db:PACKETSTORMid:170042

Trust: 0.2

db:PACKETSTORMid:170154

Trust: 0.2

db:PACKETSTORMid:159852

Trust: 0.1

db:PACKETSTORMid:170821

Trust: 0.1

db:PACKETSTORMid:159353

Trust: 0.1

db:PACKETSTORMid:170817

Trust: 0.1

db:PACKETSTORMid:170155

Trust: 0.1

db:PACKETSTORMid:158750

Trust: 0.1

db:CNNVDid:CNNVD-201902-770

Trust: 0.1

db:VULHUBid:VHN-159766

Trust: 0.1

db:PACKETSTORMid:153255

Trust: 0.1

sources: VULHUB: VHN-159766 // PACKETSTORM: 170819 // PACKETSTORM: 170823 // PACKETSTORM: 170042 // PACKETSTORM: 170154 // PACKETSTORM: 159876 // PACKETSTORM: 160568 // PACKETSTORM: 153255 // PACKETSTORM: 156743 // NVD: CVE-2019-8331

REFERENCES

url:https://access.redhat.com/errata/rhsa-2019:1456

Trust: 1.2

url:http://www.securityfocus.com/bid/107375

Trust: 1.1

url:https://seclists.org/bugtraq/2019/may/18

Trust: 1.1

url:https://www.tenable.com/security/tns-2021-14

Trust: 1.1

url:https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

Trust: 1.1

url:https://support.f5.com/csp/article/k24383845

Trust: 1.1

url:http://seclists.org/fulldisclosure/2019/may/13

Trust: 1.1

url:http://seclists.org/fulldisclosure/2019/may/11

Trust: 1.1

url:http://seclists.org/fulldisclosure/2019/may/10

Trust: 1.1

url:http://packetstormsecurity.com/files/156743/octobercms-insecure-dependencies.html

Trust: 1.1

url:https://github.com/twbs/bootstrap/pull/28236

Trust: 1.1

url:https://github.com/twbs/bootstrap/releases/tag/v3.4.1

Trust: 1.1

url:https://github.com/twbs/bootstrap/releases/tag/v4.3.1

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuapr2021.html

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2019:3023

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2019:3024

Trust: 1.1

url:https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3cdev.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3cissues.drill.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3cdev.drill.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3cuser.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3cuser.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3cdev.superset.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3cissues.hbase.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3cdev.drill.apache.org%3e

Trust: 1.0

url:https://support.f5.com/csp/article/k24383845?utm_source=f5support&amp%3butm_medium=rss

Trust: 1.0

url:https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3cuser.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3ccommits.pulsar.apache.org%3e

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-8331

Trust: 0.8

url:https://access.redhat.com/security/team/contact/

Trust: 0.7

url:https://bugzilla.redhat.com/):

Trust: 0.7

url:https://access.redhat.com/security/cve/cve-2019-8331

Trust: 0.7

url:https://access.redhat.com/security/team/key/

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2018-14042

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2016-10735

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2016-10735

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-11358

Trust: 0.5

url:https://access.redhat.com/articles/11258

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2018-14040

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2018-14041

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2019-11358

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2015-9251

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2018-14042

Trust: 0.4

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.4

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2018-14040

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2015-9251

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-11022

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-11022

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2018-14041

Trust: 0.3

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2018-20676

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2018-20676

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2018-20677

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2018-20677

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-11023

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-40150

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-3143

Trust: 0.2

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-42003

Trust: 0.2

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-42004

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-40150

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-45047

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2017-18214

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-40152

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-40149

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-40149

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-11023

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-40152

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2017-18214

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-45693

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-46364

Trust: 0.2

url:https://issues.jboss.org/):

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-3143

Trust: 0.2

url:https://support.f5.com/csp/article/k24383845?utm_source=f5support&amp;amp;utm_medium=rss

Trust: 0.1

url:https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3cdev.drill.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3cdev.drill.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3cissues.drill.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3cdev.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3cuser.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3cuser.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3cuser.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714@%3cissues.hbase.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3ccommits.pulsar.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3cdev.superset.apache.org%3e

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:0554

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:0553

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-2053

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-24823

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-31129

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:8652

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-31197

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-38749

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3717

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-24785

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2048

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-31684

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-24785

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0613

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3717

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-24823

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-33980

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-2048

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-44906

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-33980

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-31684

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2053

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-41853

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-31129

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-44906

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-25857

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-42889

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-24723

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-31197

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0613

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-24723

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25857

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:8865

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-1722

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-1722

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:4670

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:5571

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3875

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-10157

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3873

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3888

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-3875

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-3888

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.rhsso&downloadtype=securitypatches&version=7.3

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-10157

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-3872

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3872

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-3873

Trust: 0.1

url:https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Trust: 0.1

url:https://bugs.jquery.com/ticket/11974

Trust: 0.1

url:https://github.com/jquery/jquery/issues/2432

Trust: 0.1

url:https://github.com/twbs/bootstrap/issues/20184

Trust: 0.1

url:http://research.insecurelabs.org/jquery/test/

Trust: 0.1

url:https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

Trust: 0.1

url:https://retirejs.github.io/retire.js/),

Trust: 0.1

url:http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

Trust: 0.1

url:https://github.com/twbs/bootstrap/issues/28236

Trust: 0.1

sources: VULHUB: VHN-159766 // PACKETSTORM: 170819 // PACKETSTORM: 170823 // PACKETSTORM: 170042 // PACKETSTORM: 170154 // PACKETSTORM: 159876 // PACKETSTORM: 160568 // PACKETSTORM: 153255 // PACKETSTORM: 156743 // NVD: CVE-2019-8331

CREDITS

Red Hat

Trust: 0.7

sources: PACKETSTORM: 170819 // PACKETSTORM: 170823 // PACKETSTORM: 170042 // PACKETSTORM: 170154 // PACKETSTORM: 159876 // PACKETSTORM: 160568 // PACKETSTORM: 153255

SOURCES

db:VULHUBid:VHN-159766
db:PACKETSTORMid:170819
db:PACKETSTORMid:170823
db:PACKETSTORMid:170042
db:PACKETSTORMid:170154
db:PACKETSTORMid:159876
db:PACKETSTORMid:160568
db:PACKETSTORMid:153255
db:PACKETSTORMid:156743
db:NVDid:CVE-2019-8331

LAST UPDATE DATE

2025-12-22T20:42:27.473000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-159766date:2019-06-11T00:00:00
db:NVDid:CVE-2019-8331date:2024-11-21T04:49:42.020

SOURCES RELEASE DATE

db:VULHUBid:VHN-159766date:2019-02-20T00:00:00
db:PACKETSTORMid:170819date:2023-01-31T17:19:24
db:PACKETSTORMid:170823date:2023-01-31T17:26:38
db:PACKETSTORMid:170042date:2022-11-29T16:03:19
db:PACKETSTORMid:170154date:2022-12-08T16:27:25
db:PACKETSTORMid:159876date:2020-11-04T15:32:52
db:PACKETSTORMid:160568date:2020-12-16T18:19:59
db:PACKETSTORMid:153255date:2019-06-11T10:33:22
db:PACKETSTORMid:156743date:2020-03-15T12:44:44
db:NVDid:CVE-2019-8331date:2019-02-20T16:29:00.837