{ "threat_severity" : "Moderate", "public_date" : "2019-02-11T00:00:00Z", "bugzilla" : { "description" : "bootstrap: XSS in the tooltip or popover data-template attribute", "id" : "1686454", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1686454" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.", "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired." ], "statement" : "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2020-09-29T00:00:00Z", "advisory" : "RHSA-2020:3936", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "ipa-0:4.6.8-5.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4670", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "idm:client-8030020200923172426.05ac3f11" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4670", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "idm:DL1-8030020200923172343.9c827e52" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4847", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "pki-core:10.6-8030020200911215836.5ff1562f" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4847", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "pki-deps:10.6-8030020200527165326.30b713e6" }, { "product_name" : "Red Hat Fuse 7.11.1", "release_date" : "2022-11-28T00:00:00Z", "advisory" : "RHSA-2022:8652", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "io.hawt-hawtio-online" }, { "product_name" : "Red Hat Fuse 7.11.1", "release_date" : "2022-11-28T00:00:00Z", "advisory" : "RHSA-2022:8652", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "io.hawt-project" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0556", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "bootstrap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0553", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0554", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0552", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)", "release_date" : "2020-12-16T00:00:00Z", "advisory" : "RHSA-2020:5571", "cpe" : "cpe:/a:redhat:openstack:13::el7", "package" : "python-XStatic-Bootstrap-SCSS-0:3.4.1.0-1.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS", "release_date" : "2020-12-16T00:00:00Z", "advisory" : "RHSA-2020:5571", "cpe" : "cpe:/a:redhat:openstack:13::el7", "package" : "python-XStatic-Bootstrap-SCSS-0:3.4.1.0-1.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 16.1", "release_date" : "2022-12-07T00:00:00Z", "advisory" : "RHSA-2022:8865", "cpe" : "cpe:/a:redhat:openstack:16.1::el8", "package" : "python-XStatic-Bootstrap-SCSS-0:3.4.1.0-2.el8ost" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2022-12-07T00:00:00Z", "advisory" : "RHSA-2022:8848", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "python-XStatic-Bootstrap-SCSS-0:3.4.1.0-2.el8ost" }, { "product_name" : "Red Hat Single Sign-On 7.3.2 zip", "release_date" : "2019-06-11T00:00:00Z", "advisory" : "RHSA-2019:1456", "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3", "package" : "bootstrap" }, { "product_name" : "Red Hat Virtualization Engine 4.3", "release_date" : "2019-10-10T00:00:00Z", "advisory" : "RHSA-2019:3023", "cpe" : "cpe:/a:redhat:rhev_manager:4.3", "package" : "ovirt-engine-ui-extensions-0:1.0.10-1.el7ev" }, { "product_name" : "Red Hat Virtualization Engine 4.3", "release_date" : "2019-10-10T00:00:00Z", "advisory" : "RHSA-2019:3024", "cpe" : "cpe:/a:redhat:rhev_manager:4.3", "package" : "ovirt-web-ui-0:1.6.0-1.el7ev" }, { "product_name" : "Red Hat Virtualization Engine 4.4", "release_date" : "2020-08-04T00:00:00Z", "advisory" : "RHSA-2020:3247", "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8", "package" : "org.ovirt.engine-root-0:4.4.1.8-7" }, { "product_name" : "Red Hat Virtualization Engine 4.4", "release_date" : "2020-08-04T00:00:00Z", "advisory" : "RHSA-2020:3247", "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8", "package" : "ovirt-engine-api-explorer-0:0.0.6-1.el8ev" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Not affected", "package_name" : "cfme-gemset", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Not affected", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Will not fix", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "pki-core", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Out of support scope", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/ose-console", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Will not fix", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 14 (Rocky)", "fix_state" : "Affected", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:14" }, { "product_name" : "Red Hat OpenStack Platform 15 (Stein)", "fix_state" : "Will not fix", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:15" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Not affected", "package_name" : "qpid-dispatch", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat OpenStack Platform 8 (Liberty)", "fix_state" : "Will not fix", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:8" }, { "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)", "fix_state" : "Will not fix", "package_name" : "python-XStatic-Bootstrap-SCSS", "cpe" : "cpe:/a:redhat:openstack:9" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Not affected", "package_name" : "quay", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Satellite 5", "fix_state" : "Out of support scope", "package_name" : "bootstrap", "cpe" : "cpe:/a:redhat:network_satellite:5" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "qpid-dispatch", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Out of support scope", "package_name" : "ovirt-engine-dashboard", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Out of support scope", "package_name" : "ovirt-js-dependencies", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-8331\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-8331" ], "name" : "CVE-2019-8331", "csaw" : false }