CVE-2021-3529

Published: Jun 2, 2021Modified: Nov 21, 2024

7.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Exploitability: 2.8 / Impact: 3.7

Source: NVD

Description

A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity.

Affected (2)

Products: Redhat: Noobaa Operator, Openshift Container Platform

2 products

Noobaa Operator

Openshift Container Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Noobaa Operator	Before 5.7.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	Version 4.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=1950479

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1950479

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.