Details of VAR-202004-2191

ID

VAR-202004-2191

CVE

CVE-2020-11022

TITLE

Debian Security Advisory 4693-1

Trust: 0.1

sources: PACKETSTORM: 168835

DESCRIPTION

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. jQuery is an open source, cross-browser JavaScript library developed by American John Resig programmers. The library simplifies the operation between HTML and JavaScript, and has the characteristics of modularization and plug-in extension. A cross-site scripting vulnerability exists in jQuery versions 1.2 through 3.5.0. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. For the oldstable distribution (stretch), these problems have been fixed in version 7.52-2+deb9u10. We recommend that you upgrade your drupal7 packages. For the detailed security status of drupal7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/drupal7 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl7NhRgACgkQEMKTtsN8 TjZELQ//ao+AlYru8sTlC4Axs1r3QfXyq/FFn55C2faDkZonWP3+S4O5GjJaDwcH q9J1OBhvlkTsRkP55qGplUi9pLxs8OTdnJD5VnRXsvijVEhhZ5DOYnLJcLQ5Ggq5 Io8ImGbrGY64qItxmEXUyFfI0YrJ/s1aagUBodORaF6yeJ6DwqIxRVRBS4A3UD61 AH0u/cw69y7WHf1FLpPYAWZSZ0lzkPFxUbi8DlYzwPZApQfhOFCYoWjdziUbxZUU yZH8M0CORFG2ron8K+sbgKPpepRc6u55OxYU1WxzejJSfKKnGhhaNBrztbgomtIB pLQ+BSB2tD5iOR/QcdXgmhhTrApUSiR6dF2iPwXt1Bo2+1l2ChEVYfi1q1ggTx5O e6xulfy+3xSPI4afi4gL1KTHJkg9OZnU1pST3kSxBp/gp+/I473EYqwzhlB14msU SqNy5kId+GsYzMsvcufbOEsqR2ffAGDz9RNPF7NkfphvAT9YyaXq0kgmnxtMiac1 Um1/7oDh4dZBTzFNnvWRYWQcydgfDvEzW1TQdCd2hp8YTXjhCFNeJrxQx0O9eLxv jcWC+z0rfQeiUAk7VtqeoCDRS6deVxm1TfXXcV0vgyKGQh5/FBVo9V2L9ag/8phO 0l0TPROG766wZDooBFXNWerf85AT5zCIFopeZopPyuQNIjJA2UU= =yOQd -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update Advisory ID: RHSA-2020:4847-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4847 Issue date: 2020-11-03 CVE Names: CVE-2015-9251 CVE-2016-10735 CVE-2018-14040 CVE-2018-14042 CVE-2019-8331 CVE-2019-10146 CVE-2019-10179 CVE-2019-10221 CVE-2019-11358 CVE-2020-1721 CVE-2020-11022 CVE-2020-11023 CVE-2020-15720 ==================================================================== 1. Summary: An update for the pki-core:10.6 and pki-deps:10.6 modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es): * jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251) * bootstrap: XSS in the data-target attribute (CVE-2016-10735) * bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040) * bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) * pki: Dogtag's python client does not validate certificates (CVE-2020-15720) * pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page (CVE-2019-10146) * pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab (CVE-2019-10179) * pki-core: Reflected XSS in getcookies?url= endpoint in CA (CVE-2019-10221) * pki-core: KRA vulnerable to reflected XSS via the getPk12 page (CVE-2020-1721) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1376706 - restore SerialNumber tag in caManualRenewal xml 1399546 - CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests 1406505 - KRA ECC installation failed with shared tomcat 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip 1666907 - CC: Enable AIA OCSP cert checking for entire cert chain 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute 1695901 - CVE-2019-10179 pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection 1706521 - CA - SubjectAltNameExtInput does not display text fields to the enrollment page 1710171 - CVE-2019-10146 pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page 1721684 - Rebase pki-servlet-engine to 9.0.30 1724433 - caTransportCert.cfg contains MD2/MD5withRSA as signingAlgsAllowed. 1732565 - CVE-2019-10221 pki-core: Reflected XSS in getcookies?url= endpoint in CA 1732981 - When nuxwdog is enabled pkidaemon status shows instances as stopped. 1777579 - CVE-2020-1721 pki-core: KRA vulnerable to reflected XSS via the getPk12 page 1805541 - [RFE] CA Certificate Transparency with Embedded Signed Certificate Time stamp 1817247 - Upgrade to 10.8.3 breaks PKI Tomcat Server 1821851 - [RFE] Provide SSLEngine via JSSProvider for use with PKI 1822246 - JSS - NativeProxy never calls releaseNativeResources - Memory Leak 1824939 - JSS: add RSA PSS support - RHEL 8.3 1824948 - add RSA PSS support - RHEL 8.3 1825998 - CertificatePoliciesExtDefault MAX_NUM_POLICIES hardcoded limit 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1842734 - CVE-2019-10179 pki-core: pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab [rhel-8] 1842736 - CVE-2019-10146 pki-core: Reflected Cross-Site Scripting in 'path length' constraint field in CA's Agent page [rhel-8] 1843537 - Able to Perform PKI CLI operations like cert request and approval without nssdb password 1845447 - pkispawn fails in FIPS mode: AJP connector has secretRequired="true" but no secret 1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution 1854043 - /usr/bin/PrettyPrintCert is failing with a ClassNotFoundException 1854959 - ca-profile-add with Netscape extensions nsCertSSLClient and nsCertEmail in the profile gets stuck in processing 1855273 - CVE-2020-15720 pki: Dogtag's python client does not validate certificates 1855319 - Not able to launch pkiconsole 1856368 - kra-key-generate request is failing 1857933 - CA Installation is failing with ncipher v12.30 HSM 1861911 - pki cli ca-cert-request-approve hangs over crmf request from client-cert-request 1869893 - Common certificates are missing in CS.cfg on shared PKI instance 1871064 - replica install failing during pki-ca component configuration 1873235 - pki ca-user-cert-add with secure port failed with 'SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT' 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c.src.rpm apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c.src.rpm apache-commons-net-3.6-3.module+el8.3.0+6805+72837426.src.rpm bea-stax-1.2.0-16.module+el8.1.0+3366+6dfb954c.src.rpm glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c.src.rpm glassfish-jaxb-2.2.11-11.module+el8.1.0+3366+6dfb954c.src.rpm glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c.src.rpm jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25.src.rpm jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25.src.rpm jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25.src.rpm jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d.src.rpm jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c.src.rpm jakarta-commons-httpclient-3.1-28.module+el8.1.0+3366+6dfb954c.src.rpm javassist-3.18.1-8.module+el8.1.0+3366+6dfb954c.src.rpm jss-4.7.3-1.module+el8.3.0+8058+d5cd4219.src.rpm ldapjdk-4.22.0-1.module+el8.3.0+6784+6e1e4c62.src.rpm pki-core-10.9.4-1.module+el8.3.0+8058+d5cd4219.src.rpm pki-servlet-engine-9.0.30-1.module+el8.3.0+6730+8f9c6254.src.rpm python-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c.src.rpm relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c.src.rpm resteasy-3.0.26-3.module+el8.2.0+5723+4574fbff.src.rpm slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c.src.rpm stax-ex-1.7.7-8.module+el8.2.0+5723+4574fbff.src.rpm tomcatjss-7.5.0-1.module+el8.3.0+7355+c59bcbd9.src.rpm velocity-1.7-24.module+el8.1.0+3366+6dfb954c.src.rpm xalan-j2-2.7.1-38.module+el8.1.0+3366+6dfb954c.src.rpm xerces-j2-2.11.0-34.module+el8.1.0+3366+6dfb954c.src.rpm xml-commons-apis-1.4.01-25.module+el8.1.0+3366+6dfb954c.src.rpm xml-commons-resolver-1.2-26.module+el8.1.0+3366+6dfb954c.src.rpm xmlstreambuffer-1.5.4-8.module+el8.2.0+5723+4574fbff.src.rpm xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c.src.rpm aarch64: jss-4.7.3-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm jss-debuginfo-4.7.3-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm jss-debugsource-4.7.3-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm jss-javadoc-4.7.3-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm pki-core-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm pki-core-debugsource-10.9.4-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm pki-symkey-10.9.4-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm pki-symkey-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm pki-tools-10.9.4-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm pki-tools-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.aarch64.rpm python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c.aarch64.rpm python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c.aarch64.rpm python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c.aarch64.rpm python3-nss-debuginfo-1.0.1-10.module+el8.1.0+3366+6dfb954c.aarch64.rpm noarch: apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c.noarch.rpm apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c.noarch.rpm apache-commons-net-3.6-3.module+el8.3.0+6805+72837426.noarch.rpm bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb954c.noarch.rpm glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c.noarch.rpm glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c.noarch.rpm glassfish-jaxb-core-2.2.11-11.module+el8.1.0+3366+6dfb954c.noarch.rpm glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+3366+6dfb954c.noarch.rpm glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+3366+6dfb954c.noarch.rpm jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25.noarch.rpm jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25.noarch.rpm jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25.noarch.rpm jackson-jaxrs-json-provider-2.9.9-1.module+el8.1.0+3832+9784644d.noarch.rpm jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d.noarch.rpm jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c.noarch.rpm jakarta-commons-httpclient-3.1-28.module+el8.1.0+3366+6dfb954c.noarch.rpm javassist-3.18.1-8.module+el8.1.0+3366+6dfb954c.noarch.rpm javassist-javadoc-3.18.1-8.module+el8.1.0+3366+6dfb954c.noarch.rpm ldapjdk-4.22.0-1.module+el8.3.0+6784+6e1e4c62.noarch.rpm ldapjdk-javadoc-4.22.0-1.module+el8.3.0+6784+6e1e4c62.noarch.rpm pki-base-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpm pki-base-java-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpm pki-ca-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpm pki-kra-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpm pki-server-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpm pki-servlet-4.0-api-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch.rpm pki-servlet-engine-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch.rpm python3-pki-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch.rpm relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c.noarch.rpm resteasy-3.0.26-3.module+el8.2.0+5723+4574fbff.noarch.rpm slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c.noarch.rpm slf4j-jdk14-1.7.25-4.module+el8.1.0+3366+6dfb954c.noarch.rpm stax-ex-1.7.7-8.module+el8.2.0+5723+4574fbff.noarch.rpm tomcatjss-7.5.0-1.module+el8.3.0+7355+c59bcbd9.noarch.rpm velocity-1.7-24.module+el8.1.0+3366+6dfb954c.noarch.rpm xalan-j2-2.7.1-38.module+el8.1.0+3366+6dfb954c.noarch.rpm xerces-j2-2.11.0-34.module+el8.1.0+3366+6dfb954c.noarch.rpm xml-commons-apis-1.4.01-25.module+el8.1.0+3366+6dfb954c.noarch.rpm xml-commons-resolver-1.2-26.module+el8.1.0+3366+6dfb954c.noarch.rpm xmlstreambuffer-1.5.4-8.module+el8.2.0+5723+4574fbff.noarch.rpm xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c.noarch.rpm ppc64le: jss-4.7.3-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm jss-debuginfo-4.7.3-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm jss-debugsource-4.7.3-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm jss-javadoc-4.7.3-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm pki-core-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm pki-core-debugsource-10.9.4-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm pki-symkey-10.9.4-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm pki-symkey-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm pki-tools-10.9.4-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm pki-tools-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.ppc64le.rpm python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c.ppc64le.rpm python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c.ppc64le.rpm python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c.ppc64le.rpm python3-nss-debuginfo-1.0.1-10.module+el8.1.0+3366+6dfb954c.ppc64le.rpm s390x: jss-4.7.3-1.module+el8.3.0+8058+d5cd4219.s390x.rpm jss-debuginfo-4.7.3-1.module+el8.3.0+8058+d5cd4219.s390x.rpm jss-debugsource-4.7.3-1.module+el8.3.0+8058+d5cd4219.s390x.rpm jss-javadoc-4.7.3-1.module+el8.3.0+8058+d5cd4219.s390x.rpm pki-core-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.s390x.rpm pki-core-debugsource-10.9.4-1.module+el8.3.0+8058+d5cd4219.s390x.rpm pki-symkey-10.9.4-1.module+el8.3.0+8058+d5cd4219.s390x.rpm pki-symkey-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.s390x.rpm pki-tools-10.9.4-1.module+el8.3.0+8058+d5cd4219.s390x.rpm pki-tools-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.s390x.rpm python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c.s390x.rpm python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c.s390x.rpm python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c.s390x.rpm python3-nss-debuginfo-1.0.1-10.module+el8.1.0+3366+6dfb954c.s390x.rpm x86_64: jss-4.7.3-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm jss-debuginfo-4.7.3-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm jss-debugsource-4.7.3-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm jss-javadoc-4.7.3-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm pki-core-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm pki-core-debugsource-10.9.4-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm pki-symkey-10.9.4-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm pki-symkey-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm pki-tools-10.9.4-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm pki-tools-debuginfo-10.9.4-1.module+el8.3.0+8058+d5cd4219.x86_64.rpm python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c.x86_64.rpm python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c.x86_64.rpm python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c.x86_64.rpm python3-nss-debuginfo-1.0.1-10.module+el8.1.0+3366+6dfb954c.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-9251 https://access.redhat.com/security/cve/CVE-2016-10735 https://access.redhat.com/security/cve/CVE-2018-14040 https://access.redhat.com/security/cve/CVE-2018-14042 https://access.redhat.com/security/cve/CVE-2019-8331 https://access.redhat.com/security/cve/CVE-2019-10146 https://access.redhat.com/security/cve/CVE-2019-10179 https://access.redhat.com/security/cve/CVE-2019-10221 https://access.redhat.com/security/cve/CVE-2019-11358 https://access.redhat.com/security/cve/CVE-2020-1721 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/cve/CVE-2020-15720 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6I3GNzjgjWX9erEAQiK8w//dJasljC8LcJheQtDfUXL+EG52rGjpyxU B5iSYariTDhQOFRt22udOjbdBaISRD77ozLdz0LusA1NBtR3hQ49ryIWyMUxLNsi 46FLY44YxMY7uofZJExUJoEkN39CYwXqIOaaGnZ8mkn4QVdoKG+UBvBL3gKcE3uk h+PWQaasCHL96ZuLz5OB1ya0StcgVcnIDOJleP0f4TGI8w5LKSj1bdJz2fD1H+JP iBa3QVedFanQpWVqCAjaw2lH+fQUB4F936XltKsqCKD9uaX1A2m+xAMZ8wuHcCUl Nudj4LwT06xGd36tyQVh+0ZolB7aKmErYNicv25VNz1c/QlmXCiBJi3Y62/a7La0 t8bGYPE01RTI1YvLs8c+Bw0SH+NcGPGtLw9Vd8w9hFYed7JUP6Iv9v/lSfbiUXDD R5gcEJPQtN2pRsqZaCmQCY2i9aNwjmyZ3wggmXJ4DtEy5adTmAmTL/Alf8kx1rfC UjfeBWVQ01QMIcwNCZM9ly6au06fioPjHhusCFPqPWnGCoT6mysF//ZOhLemUQci ecbYX+JbbUnbyWQPVIBhV/Zj4D6SqNtY5rciorwTedC8n2zX/8ORTCn1PZz8Oc1S ebaoJI0TA2DuiUtPkKz1REcD8rnSCxPIhCYWfb4nIXKGjBINW8ueyG27VPprkSOh +Ybici9RaUE=VLtX -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . You can also manage user accounts for web applications, mobile applications, and RESTful web services. Description: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Description: Security Fix(es): * Addressed a security issue which can allow a malicious playbook author to elevate to the awx user from outside the isolated environment: CVE-2021-20253 * Upgraded to a more recent version of nginx to address CVE-2019-20372 * Upgraded to a more recent version of autobahn to address CVE-2020-35678 * Upgraded to a more recent version of jquery to address CVE-2020-11022 and CVE-2020-11023 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4

Trust: 1.53

sources: NVD: CVE-2020-11022 // VULHUB: VHN-163559 // PACKETSTORM: 168835 // PACKETSTORM: 159852 // PACKETSTORM: 171215 // PACKETSTORM: 171214 // PACKETSTORM: 171212 // PACKETSTORM: 161727

AFFECTED PRODUCTS

vendor:	oracle	model:	jdeveloper	scope:	eq	version:	12.2.1.3.0	Trust: 1.0
vendor:	oracle	model:	jdeveloper	scope:	eq	version:	12.2.1.4.0	Trust: 1.0
vendor:	oracle	model:	financial services data foundation	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	gte	version:	8.0.6.0.0	Trust: 1.0
vendor:	oracle	model:	hospitality simphony	scope:	eq	version:	19.1.0-19.1.2	Trust: 1.0
vendor:	oracle	model:	financial services market risk measurement and management	scope:	eq	version:	8.0.8	Trust: 1.0
vendor:	drupal	model:	drupal	scope:	gte	version:	8.7.0	Trust: 1.0
vendor:	oracle	model:	financial services liquidity risk measurement and management	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	netapp	model:	h300s	scope:	eq	version:	-	Trust: 1.0
vendor:	drupal	model:	drupal	scope:	lt	version:	8.7.14	Trust: 1.0
vendor:	oracle	model:	communications billing and revenue management	scope:	eq	version:	12.0.0.3.0	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications reconciliation framework	scope:	lte	version:	8.0.8	Trust: 1.0
vendor:	oracle	model:	hospitality materials control	scope:	eq	version:	18.1	Trust: 1.0
vendor:	oracle	model:	hospitality simphony	scope:	lte	version:	19.1.2	Trust: 1.0
vendor:	oracle	model:	financial services data governance for us regulatory reporting	scope:	lte	version:	8.0.9	Trust: 1.0
vendor:	oracle	model:	policy automation connector for siebel	scope:	eq	version:	10.4.6	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications reconciliation framework	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	financial services basel regulatory capital basic	scope:	lte	version:	8.0.8	Trust: 1.0
vendor:	oracle	model:	enterprise session border controller	scope:	eq	version:	8.4	Trust: 1.0
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	retail back office	scope:	eq	version:	14.0	Trust: 1.0
vendor:	netapp	model:	snapcenter	scope:	eq	version:	-	Trust: 1.0
vendor:	drupal	model:	drupal	scope:	gte	version:	8.8.0	Trust: 1.0
vendor:	oracle	model:	financial services price creation and discovery	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	insurance data foundation	scope:	lte	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	20.1	Trust: 1.0
vendor:	oracle	model:	insurance allocation manager for enterprise profitability	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications reconciliation framework	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	financial services liquidity risk measurement and management	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	insurance accounting analyzer	scope:	eq	version:	8.0.9	Trust: 1.0
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	insurance data foundation	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	agile product lifecycle management for process	scope:	eq	version:	6.2.0.0	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.58	Trust: 1.0
vendor:	oracle	model:	communications eagle application processor	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	18.2	Trust: 1.0
vendor:	jquery	model:	jquery	scope:	gte	version:	1.2	Trust: 1.0
vendor:	oracle	model:	financial services basel regulatory capital basic	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	financial services data governance for us regulatory reporting	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	drupal	model:	drupal	scope:	gte	version:	7.0	Trust: 1.0
vendor:	oracle	model:	blockchain platform	scope:	lt	version:	21.1.2	Trust: 1.0
vendor:	drupal	model:	drupal	scope:	lt	version:	8.8.6	Trust: 1.0
vendor:	oracle	model:	communications diameter signaling router idih\:	scope:	lte	version:	8.2.2	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	31	Trust: 1.0
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	insurance insbridge rating and underwriting	scope:	gte	version:	5.0.0.0	Trust: 1.0
vendor:	oracle	model:	financial services regulatory reporting for european banking authority	scope:	lte	version:	8.1.0	Trust: 1.0
vendor:	netapp	model:	h300e	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	19.2	Trust: 1.0
vendor:	oracle	model:	healthcare foundation	scope:	eq	version:	7.2.0	Trust: 1.0
vendor:	oracle	model:	siebel ui framework	scope:	eq	version:	20.8	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	14.1.1.0.0	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	lte	version:	20.1	Trust: 1.0
vendor:	netapp	model:	h700e	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.3.0	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.4.0	Trust: 1.0
vendor:	netapp	model:	h500s	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	financial services price creation and discovery	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	healthcare foundation	scope:	eq	version:	7.2.1	Trust: 1.0
vendor:	oracle	model:	policy automation	scope:	lte	version:	12.2.20	Trust: 1.0
vendor:	netapp	model:	oncommand system manager	scope:	gte	version:	3.0	Trust: 1.0
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	financial services hedge management and ifrs valuations	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	enterprise manager ops center	scope:	eq	version:	12.4.0.0	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	gte	version:	18.1	Trust: 1.0
vendor:	oracle	model:	policy automation	scope:	gte	version:	12.2.0	Trust: 1.0
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	communications application session controller	scope:	eq	version:	3.8m0	Trust: 1.0
vendor:	oracle	model:	financial services basel regulatory capital internal ratings based approach	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	financial services market risk measurement and management	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	18.3	Trust: 1.0
vendor:	oracle	model:	financial services hedge management and ifrs valuations	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	10.3.6.0.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	33	Trust: 1.0
vendor:	oracle	model:	financial services basel regulatory capital internal ratings based approach	scope:	lte	version:	8.0.8	Trust: 1.0
vendor:	drupal	model:	drupal	scope:	lt	version:	7.70	Trust: 1.0
vendor:	oracle	model:	insurance insbridge rating and underwriting	scope:	eq	version:	5.6.1.0	Trust: 1.0
vendor:	oracle	model:	financial services balance sheet planning	scope:	eq	version:	8.0.8	Trust: 1.0
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	retail returns management	scope:	eq	version:	14.1	Trust: 1.0
vendor:	oracle	model:	hospitality simphony	scope:	eq	version:	18.1	Trust: 1.0
vendor:	oracle	model:	insurance allocation manager for enterprise profitability	scope:	eq	version:	8.0.8	Trust: 1.0
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	insurance data foundation	scope:	eq	version:	8.0.6-8.1.0	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.56	Trust: 1.0
vendor:	oracle	model:	financial services basel regulatory capital basic	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	financial services regulatory reporting for us federal reserve	scope:	lte	version:	8.0.9	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.57	Trust: 1.0
vendor:	opensuse	model:	leap	scope:	eq	version:	15.2	Trust: 1.0
vendor:	oracle	model:	communications services gatekeeper	scope:	eq	version:	7.0	Trust: 1.0
vendor:	oracle	model:	financial services data integration hub	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	healthcare foundation	scope:	eq	version:	7.3.0	Trust: 1.0
vendor:	oracle	model:	insurance insbridge rating and underwriting	scope:	lte	version:	5.6.0.0	Trust: 1.0
vendor:	oracle	model:	hospitality simphony	scope:	eq	version:	18.2	Trust: 1.0
vendor:	oracle	model:	financial services data foundation	scope:	lte	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	policy automation for mobile devices	scope:	lte	version:	12.2.20	Trust: 1.0
vendor:	oracle	model:	storagetek acsls	scope:	eq	version:	8.5.1	Trust: 1.0
vendor:	netapp	model:	snap creator framework	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	financial services basel regulatory capital internal ratings based approach	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	netapp	model:	h410c	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	18.1	Trust: 1.0
vendor:	oracle	model:	policy automation for mobile devices	scope:	gte	version:	12.2.0	Trust: 1.0
vendor:	jquery	model:	jquery	scope:	lt	version:	3.5.0	Trust: 1.0
vendor:	oracle	model:	financial services liquidity risk management	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	netapp	model:	oncommand insight	scope:	eq	version:	-	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	32	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	lte	version:	8.1.0.0.0	Trust: 1.0
vendor:	netapp	model:	h500e	scope:	eq	version:	-	Trust: 1.0
vendor:	netapp	model:	h410s	scope:	eq	version:	-	Trust: 1.0
vendor:	tenable	model:	log correlation engine	scope:	lt	version:	6.0.9	Trust: 1.0
vendor:	oracle	model:	communications diameter signaling router idih\:	scope:	gte	version:	8.0.0	Trust: 1.0
vendor:	oracle	model:	healthcare foundation	scope:	eq	version:	7.1.1	Trust: 1.0
vendor:	oracle	model:	financial services data integration hub	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	communications eagle application processor	scope:	lte	version:	16.4.0	Trust: 1.0
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	financial services regulatory reporting for us federal reserve	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	netapp	model:	max data	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	financial services regulatory reporting for european banking authority	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	jdeveloper	scope:	eq	version:	11.1.1.9.0	Trust: 1.0
vendor:	oracle	model:	retail returns management	scope:	eq	version:	14.0	Trust: 1.0
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	lte	version:	8.0.8	Trust: 1.0
vendor:	oracle	model:	agile product supplier collaboration for process	scope:	eq	version:	6.2.0.0	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	lte	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	application testing suite	scope:	eq	version:	13.3.0.1	Trust: 1.0
vendor:	oracle	model:	retail back office	scope:	eq	version:	14.1	Trust: 1.0
vendor:	oracle	model:	hospitality simphony	scope:	gte	version:	19.1.0	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	19.1	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.1.3.0.0	Trust: 1.0
vendor:	oracle	model:	communications webrtc session controller	scope:	eq	version:	7.2	Trust: 1.0
vendor:	oracle	model:	communications billing and revenue management	scope:	eq	version:	7.5.0.23.0	Trust: 1.0
vendor:	oracle	model:	financial services hedge management and ifrs valuations	scope:	lte	version:	8.0.8	Trust: 1.0
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	financial services data integration hub	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	opensuse	model:	leap	scope:	eq	version:	15.1	Trust: 1.0
vendor:	netapp	model:	h700s	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	financial services liquidity risk measurement and management	scope:	eq	version:	8.0.8	Trust: 1.0
vendor:	oracle	model:	retail customer management and segmentation foundation	scope:	eq	version:	19.0	Trust: 1.0
vendor:	netapp	model:	oncommand system manager	scope:	lte	version:	3.1.3	Trust: 1.0

sources: NVD: CVE-2020-11022

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-11022
value:	MEDIUM
Trust: 1.0
security-advisories@github.com:	CVE-2020-11022
value:	MEDIUM
Trust: 1.0
VULHUB:	VHN-163559
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-11022
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-163559
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-11022
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
security-advisories@github.com:	CVE-2020-11022
baseSeverity:	MEDIUM
baseScore:	6.9
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.6
impactScore:	4.7
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-163559 // NVD: CVE-2020-11022 // NVD: CVE-2020-11022

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.1

sources: VULHUB: VHN-163559 // NVD: CVE-2020-11022

TYPE

code execution, xss

Trust: 0.4

sources: PACKETSTORM: 171215 // PACKETSTORM: 171214 // PACKETSTORM: 171212 // PACKETSTORM: 161727

EXTERNAL IDS

db:	NVD	id:	CVE-2020-11022	Trust: 1.7
db:	PACKETSTORM	id:	162159	Trust: 1.1
db:	TENABLE	id:	TNS-2021-02	Trust: 1.1
db:	TENABLE	id:	TNS-2020-10	Trust: 1.1
db:	TENABLE	id:	TNS-2020-11	Trust: 1.1
db:	TENABLE	id:	TNS-2021-10	Trust: 1.1
db:	PACKETSTORM	id:	171214	Trust: 0.2
db:	PACKETSTORM	id:	171212	Trust: 0.2
db:	PACKETSTORM	id:	171215	Trust: 0.2
db:	PACKETSTORM	id:	159852	Trust: 0.2
db:	PACKETSTORM	id:	161727	Trust: 0.2
db:	PACKETSTORM	id:	171213	Trust: 0.1
db:	PACKETSTORM	id:	170823	Trust: 0.1
db:	PACKETSTORM	id:	160274	Trust: 0.1
db:	PACKETSTORM	id:	170821	Trust: 0.1
db:	PACKETSTORM	id:	159876	Trust: 0.1
db:	PACKETSTORM	id:	159275	Trust: 0.1
db:	PACKETSTORM	id:	159353	Trust: 0.1
db:	PACKETSTORM	id:	170819	Trust: 0.1
db:	PACKETSTORM	id:	168304	Trust: 0.1
db:	PACKETSTORM	id:	170817	Trust: 0.1
db:	PACKETSTORM	id:	158750	Trust: 0.1
db:	PACKETSTORM	id:	159513	Trust: 0.1
db:	PACKETSTORM	id:	157850	Trust: 0.1
db:	PACKETSTORM	id:	158555	Trust: 0.1
db:	CNNVD	id:	CNNVD-202004-2429	Trust: 0.1
db:	VULHUB	id:	VHN-163559	Trust: 0.1
db:	PACKETSTORM	id:	168835	Trust: 0.1

sources: VULHUB: VHN-163559 // PACKETSTORM: 168835 // PACKETSTORM: 159852 // PACKETSTORM: 171215 // PACKETSTORM: 171214 // PACKETSTORM: 171212 // PACKETSTORM: 161727 // NVD: CVE-2020-11022

REFERENCES

url:	https://github.com/jquery/jquery/security/advisories/ghsa-gxr4-xjj5-5px2	Trust: 1.1
url:	https://security.netapp.com/advisory/ntap-20200511-0006/	Trust: 1.1
url:	https://www.drupal.org/sa-core-2020-002	Trust: 1.1
url:	https://www.tenable.com/security/tns-2020-10	Trust: 1.1
url:	https://www.tenable.com/security/tns-2020-11	Trust: 1.1
url:	https://www.tenable.com/security/tns-2021-02	Trust: 1.1
url:	https://www.tenable.com/security/tns-2021-10	Trust: 1.1
url:	https://www.debian.org/security/2020/dsa-4693	Trust: 1.1
url:	https://security.gentoo.org/glsa/202007-03	Trust: 1.1
url:	http://packetstormsecurity.com/files/162159/jquery-1.2-cross-site-scripting.html	Trust: 1.1
url:	https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/	Trust: 1.1
url:	https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77	Trust: 1.1
url:	https://jquery.com/upgrade-guide/3.5/	Trust: 1.1
url:	https://www.oracle.com//security-alerts/cpujul2021.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuapr2021.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuapr2022.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujan2021.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujan2022.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujul2020.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujul2022.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuoct2020.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuoct2021.html	Trust: 1.1
url:	https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/avkyxlwclzbv2n7m46kyk4lva5oxwpby/	Trust: 1.0
url:	https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3cissues.flink.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3cdev.flink.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3cissues.flink.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133%40%3ccommits.airflow.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3cissues.flink.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3cissues.flink.apache.org%3e	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/sapqvx3xdnpgft26qaq6ajixzzbz4cd4/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/qpn2l2xvqgua2v5hnqjwhk3apsk3vn7k/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/voe7p7apprqkd4fgnhbkjpdy6ffcoh3w/	Trust: 1.0
url:	https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3cissues.flink.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3cissues.flink.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3cissues.flink.apache.org%3e	Trust: 1.0
url:	https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html	Trust: 1.0
url:	https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3cissues.flink.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3cissues.flink.apache.org%3e	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/sfp4uk4egp4afh2mwyj5a5z4i7xvfq6b/	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11022	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11023	Trust: 0.5
url:	https://access.redhat.com/security/team/contact/	Trust: 0.5
url:	https://bugzilla.redhat.com/):	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-11022	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2018-14042	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2018-14040	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2018-14042	Trust: 0.4
url:	https://access.redhat.com/articles/11258	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-11023	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-11358	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11358	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2018-14040	Trust: 0.4
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.4
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.4
url:	https://access.redhat.com/security/team/key/	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-38750	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-1471	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1438	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-3916	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-40150	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-31129	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-40149	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-25857	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-46175	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-35065	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-45047	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-46364	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-44906	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2021-44906	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2023-0091	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-24785	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-3782	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-42004	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-2764	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-2764	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-46363	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1471	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2023-0264	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-38751	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-1274	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-37603	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-45693	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-38749	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-31129	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2021-35065	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-42003	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-1438	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-25857	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24785	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1274	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-4137	Trust: 0.2
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/avkyxlwclzbv2n7m46kyk4lva5oxwpby/	Trust: 0.1
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/voe7p7apprqkd4fgnhbkjpdy6ffcoh3w/	Trust: 0.1
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/qpn2l2xvqgua2v5hnqjwhk3apsk3vn7k/	Trust: 0.1
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/sfp4uk4egp4afh2mwyj5a5z4i7xvfq6b/	Trust: 0.1
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/sapqvx3xdnpgft26qaq6ajixzzbz4cd4/	Trust: 0.1
url:	https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3ccommits.airflow.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3cdev.flink.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3cissues.flink.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3cissues.flink.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3cissues.flink.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3cissues.flink.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3cissues.flink.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3cissues.flink.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3cissues.flink.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3cissues.flink.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3cissues.flink.apache.org%3e	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/drupal7	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2015-9251	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-8331	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-1721	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-10146	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10221	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-1721	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15720	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-15720	Trust: 0.1
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10146	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-10735	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-10179	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10179	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-10221	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-9251	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2016-10735	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:4847	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8331	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-47629	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2023:1047	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2023-21843	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-4039	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-37603	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-40304	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2023-21835	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-40303	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2023:1045	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2023:1043	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12723	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17006	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-20907	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-12749	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-12401	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12402	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-1971	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14866	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20372	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-10878	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-20228	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-7595	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-20843	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-20253	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-17006	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-11719	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20388	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12401	Trust: 0.1
url:	https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-17023	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17023	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12749	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-6829	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:0778	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-14866	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-8177	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-12403	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12400	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-20388	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-12723	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19956	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11756	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-11756	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-12243	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-10543	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-12400	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-20191	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-11727	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12243	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-1971	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11719	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-20180	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11727	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2016-5766	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12403	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-15903	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10878	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-20178	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5766	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15903	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-20372	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-19956	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-17498	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17498	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20907	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10543	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-35678	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2018-20843	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-12402	Trust: 0.1

CREDITS

Red Hat

Trust: 0.5

sources: PACKETSTORM: 159852 // PACKETSTORM: 171215 // PACKETSTORM: 171214 // PACKETSTORM: 171212 // PACKETSTORM: 161727

SOURCES

db:	VULHUB	id:	VHN-163559
db:	PACKETSTORM	id:	168835
db:	PACKETSTORM	id:	159852
db:	PACKETSTORM	id:	171215
db:	PACKETSTORM	id:	171214
db:	PACKETSTORM	id:	171212
db:	PACKETSTORM	id:	161727
db:	NVD	id:	CVE-2020-11022

LAST UPDATE DATE

2026-03-25T20:11:46.597000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-163559	date:	2022-07-25T00:00:00
db:	NVD	id:	CVE-2020-11022	date:	2024-11-21T04:56:36.110

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-163559	date:	2020-04-29T00:00:00
db:	PACKETSTORM	id:	168835	date:	2020-05-28T19:12:00
db:	PACKETSTORM	id:	159852	date:	2020-11-04T15:29:15
db:	PACKETSTORM	id:	171215	date:	2023-03-02T15:19:44
db:	PACKETSTORM	id:	171214	date:	2023-03-02T15:19:36
db:	PACKETSTORM	id:	171212	date:	2023-03-02T15:19:19
db:	PACKETSTORM	id:	161727	date:	2021-03-09T16:25:11
db:	NVD	id:	CVE-2020-11022	date:	2020-04-29T22:15:11.903