Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2020:3247: Red Hat Security Advisory: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API). A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes Security Fix(es):

  • apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)
  • libquartz: XXE attacks via job description (CVE-2019-13990)
  • novnc: XSS vulnerability via the messages propagated to the status field (CVE-2017-18635)
  • bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
  • nimbus-jose-jwt: Uncaught exceptions while parsing a JWT (CVE-2019-17195)
  • ovirt-engine: response_type parameter allows reflected XSS (CVE-2019-19336)
  • nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload (CVE-2020-7598)
  • ovirt-engine: Redirect to arbitrary URL allows for phishing (CVE-2020-10775)
  • Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
  • jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
  • CVE-2017-18635: novnc: XSS vulnerability via the messages propagated to the status field
  • CVE-2019-8331: bootstrap: XSS in the tooltip or popover data-template attribute
  • CVE-2019-10086: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
  • CVE-2019-13990: libquartz: XXE attacks via job description
  • CVE-2019-19336: ovirt-engine: response_type parameter allows reflected XSS
  • CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload
  • CVE-2020-10775: ovirt-engine: Redirect to arbitrary URL allows for phishing
  • CVE-2020-11022: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
  • CVE-2020-11023: jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
Red Hat Security Data
#xss#vulnerability#mac#red_hat#apache#nodejs#js

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update