{ "threat_severity" : "Moderate", "public_date" : "2018-05-29T00:00:00Z", "bugzilla" : { "description" : "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "id" : "1601614", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute." ], "statement" : "Red Hat Satellite 6.2 and newer versions don't use the bootstrap library, hence are not affected by this flaw.\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all.\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2020-09-29T00:00:00Z", "advisory" : "RHSA-2020:3936", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "ipa-0:4.6.8-5.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4670", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "idm:client-8030020200923172426.05ac3f11" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4670", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "idm:DL1-8030020200923172343.9c827e52" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4847", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "pki-core:10.6-8030020200911215836.5ff1562f" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4847", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "pki-deps:10.6-8030020200527165326.30b713e6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0556", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "bootstrap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0553", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0554", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0552", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap", "impact" : "low" }, { "product_name" : "Red Hat Single Sign-On 7", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1049", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6", "package" : "keycloak-theme" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1043", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1044", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1045", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1047", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-20" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Not affected", "package_name" : "cfme-gemset", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Not affected", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Will not fix", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "pki-core", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Will not fix", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 12 (Pike)", "fix_state" : "Affected", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:12", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 14 (Rocky)", "fix_state" : "Affected", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:14", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 8 (Liberty)", "fix_state" : "Will not fix", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:8" }, { "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)", "fix_state" : "Will not fix", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:9" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Not affected", "package_name" : "quay", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Satellite 5", "fix_state" : "Will not fix", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:network_satellite:5" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "ruby193-rubygem-bootstrap-sass", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Will not fix", "package_name" : "ovirt-js-dependencies", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-14040\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-14040" ], "name" : "CVE-2018-14040", "csaw" : false }