csaf_certbund - wid-sec-w-2022-0708

wid-sec-w-2022-0708

Vulnerability from csaf_certbund

Published

2022-07-18 22:00

Modified

2024-02-26 23:00

Summary

jQuery: Schwachstelle ermöglicht Cross-Site Scripting

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

jQuery ist eine freie JavaScript-Bibliothek, die Funktionen zur DOM-Navigation und -Manipulation zur Verfügung stellt.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows - Sonstiges

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "mittel",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "jQuery ist eine freie JavaScript-Bibliothek, die Funktionen zur DOM-Navigation und -Manipulation zur Verfügung stellt.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- UNIX\n- Linux\n- Windows\n- Sonstiges",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2022-0708 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0708.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2022-0708 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0708",
         },
         {
            category: "external",
            summary: "GitHub Advisory Database - CVE-2022-31160 vom 2022-07-18",
            url: "https://github.com/advisories/GHSA-h6gj-6jjq-h8g9",
         },
         {
            category: "external",
            summary: "Drupal Security Advisory SA-CONTRIB-2022-052 vom 2022-08-10",
            url: "https://www.drupal.org/sa-contrib-2022-052",
         },
         {
            category: "external",
            summary: "Debian Security Advisory DLA-3230 vom 2022-12-07",
            url: "https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html",
         },
         {
            category: "external",
            summary: "HCL Article KB0102049 vom 2022-12-17",
            url: "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102049",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 6955057 vom 2023-02-13",
            url: "https://www.ibm.com/support/pages/node/6955057",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 6966428 vom 2023-03-27",
            url: "https://www.ibm.com/support/pages/node/6966428",
         },
         {
            category: "external",
            summary: "Ubuntu Security Notice USN-6419-1 vom 2023-10-05",
            url: "https://ubuntu.com/security/notices/USN-6419-1",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 7116119 vom 2024-02-26",
            url: "https://www.ibm.com/support/pages/node/7116119",
         },
      ],
      source_lang: "en-US",
      title: "jQuery: Schwachstelle ermöglicht Cross-Site Scripting",
      tracking: {
         current_release_date: "2024-02-26T23:00:00.000+00:00",
         generator: {
            date: "2024-08-15T17:31:48.736+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.5",
            },
         },
         id: "WID-SEC-W-2022-0708",
         initial_release_date: "2022-07-18T22:00:00.000+00:00",
         revision_history: [
            {
               date: "2022-07-18T22:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
            {
               date: "2022-08-10T22:00:00.000+00:00",
               number: "2",
               summary: "Neue Updates von Drupal aufgenommen",
            },
            {
               date: "2022-11-13T23:00:00.000+00:00",
               number: "3",
               summary: "Referenz(en) aufgenommen: FEDORA-2022-1A01ED37E2, FEDORA-2022-7291B78111, FEDORA-2022-22D8BA36D0",
            },
            {
               date: "2022-12-07T23:00:00.000+00:00",
               number: "4",
               summary: "Neue Updates von Debian aufgenommen",
            },
            {
               date: "2022-12-18T23:00:00.000+00:00",
               number: "5",
               summary: "Neue Updates von HCL aufgenommen",
            },
            {
               date: "2023-02-13T23:00:00.000+00:00",
               number: "6",
               summary: "Neue Updates von IBM aufgenommen",
            },
            {
               date: "2023-03-27T22:00:00.000+00:00",
               number: "7",
               summary: "Neue Updates von IBM aufgenommen",
            },
            {
               date: "2023-10-05T22:00:00.000+00:00",
               number: "8",
               summary: "Neue Updates von Ubuntu aufgenommen",
            },
            {
               date: "2024-02-26T23:00:00.000+00:00",
               number: "9",
               summary: "Neue Updates von IBM aufgenommen",
            },
         ],
         status: "final",
         version: "9",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  category: "product_name",
                  name: "Debian Linux",
                  product: {
                     name: "Debian Linux",
                     product_id: "2951",
                     product_identification_helper: {
                        cpe: "cpe:/o:debian:debian_linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Debian",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "HCL BigFix",
                  product: {
                     name: "HCL BigFix",
                     product_id: "T017494",
                     product_identification_helper: {
                        cpe: "cpe:/a:hcltech:bigfix:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "HCL",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "11.7",
                        product: {
                           name: "IBM InfoSphere Information Server 11.7",
                           product_id: "444803",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:infosphere_information_server:11.7",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "InfoSphere Information Server",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "7.6.1.3",
                        product: {
                           name: "IBM Maximo Asset Management 7.6.1.3",
                           product_id: "1234217",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:maximo_asset_management:7.6.1.3",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "7.6.1.2",
                        product: {
                           name: "IBM Maximo Asset Management 7.6.1.2",
                           product_id: "812526",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:maximo_asset_management:7.6.1.2",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Maximo Asset Management",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "7.5",
                        product: {
                           name: "IBM QRadar SIEM 7.5",
                           product_id: "T022954",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:qradar_siem:7.5",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "7.4",
                        product: {
                           name: "IBM QRadar SIEM 7.4",
                           product_id: "T024775",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:qradar_siem:7.4",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "QRadar SIEM",
               },
            ],
            category: "vendor",
            name: "IBM",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "< 1.13.2",
                        product: {
                           name: "Open Source jQuery < 1.13.2",
                           product_id: "T023885",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "jQuery",
               },
            ],
            category: "vendor",
            name: "Open Source",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "Ubuntu Linux",
                  product: {
                     name: "Ubuntu Linux",
                     product_id: "T000126",
                     product_identification_helper: {
                        cpe: "cpe:/o:canonical:ubuntu_linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Ubuntu",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-31160",
         notes: [
            {
               category: "description",
               text: "In jQuery existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden im User Interrface nicht ordnungsgemäß überprüft, bevor sie an den Benutzer zurückgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausführen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich.",
            },
         ],
         product_status: {
            known_affected: [
               "T022954",
               "2951",
               "T000126",
               "444803",
               "812526",
               "T024775",
               "1234217",
               "T017494",
            ],
         },
         release_date: "2022-07-18T22:00:00.000+00:00",
         title: "CVE-2022-31160",
      },
   ],
}

cve-2022-31160

Vulnerability from cvelistv5

Published

2022-07-20 00:00

Modified

2024-08-03 07:11

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

References

▼	URL	Tags
	https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
	https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9
	https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
	https://www.drupal.org/sa-contrib-2022-052
	https://security.netapp.com/advisory/ntap-20220909-0007/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html	mailing-list

Impacted products

	Vendor	Product	Version
	jquery	jquery-ui	Version: < 1.13.2

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T07:11:39.646Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.drupal.org/sa-contrib-2022-052",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20220909-0007/",
               },
               {
                  name: "FEDORA-2022-22d8ba36d0",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/",
               },
               {
                  name: "FEDORA-2022-1a01ed37e2",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/",
               },
               {
                  name: "FEDORA-2022-7291b78111",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/",
               },
               {
                  name: "[debian-lts-announce] 20221207 [SECURITY] [DLA 3230-1] jqueryui security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "jquery-ui",
               vendor: "jquery",
               versions: [
                  {
                     status: "affected",
                     version: "< 1.13.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( \"refresh\" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.1,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-12-07T00:00:00",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               url: "https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9",
            },
            {
               url: "https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9",
            },
            {
               url: "https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/",
            },
            {
               url: "https://www.drupal.org/sa-contrib-2022-052",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20220909-0007/",
            },
            {
               name: "FEDORA-2022-22d8ba36d0",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/",
            },
            {
               name: "FEDORA-2022-1a01ed37e2",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/",
            },
            {
               name: "FEDORA-2022-7291b78111",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/",
            },
            {
               name: "[debian-lts-announce] 20221207 [SECURITY] [DLA 3230-1] jqueryui security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html",
            },
         ],
         source: {
            advisory: "GHSA-h6gj-6jjq-h8g9",
            discovery: "UNKNOWN",
         },
         title: "jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2022-31160",
      datePublished: "2022-07-20T00:00:00",
      dateReserved: "2022-05-18T00:00:00",
      dateUpdated: "2024-08-03T07:11:39.646Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted