Bug 1192075 (CVE-2021-41183)

Summary: VUL-0: CVE-2021-41183: python-XStatic-jquery-ui: XSS in `*Text` options of the Datepicker widget
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: calmeidadeoliveira, cloud-bugs, dmueller, gayane.osipyan, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/313602/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-41183:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2021-10-27 12:46:17 UTC 
CVE-2021-41183

jQuery-UI is the official jQuery user interface library. Prior to version
1.13.0, accepting the value of various `*Text` options of the Datepicker widget
from untrusted sources may execute untrusted code. The issue is fixed in jQuery
UI 1.13.0. The values passed to various `*Text` options are now always treated
as pure text, not HTML. A workaround is to not accept the value of the `*Text`
options from untrusted sources.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41183
https://github.com/jquery/jquery-ui/pull/1953
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
https://bugs.jqueryui.com/ticket/15284
Comment 1 Carlos López 2021-10-27 12:47:13 UTC 
Affected codestreams:
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update

Also affected for openSUSE:
 - openSUSE:Factory
 - openSUSE:Leap:15.2
 - openSUSE:Backports:SLE-15-SP2
 - openSUSE:Backports:SLE-15-SP3
 - openSUSE:Backports:SLE-15-SP4
Comment 4 Swamp Workflow Management 2022-05-18 19:16:49 UTC 
SUSE-SU-2022:1729-1: An update that solves 17 vulnerabilities, contains two features and has one errata is now available.

Category: security (important)
Bug References: 1118088,1179534,1184177,1186380,1189390,1189794,1192070,1192073,1192075,1193597,1193688,1193752,1194521,1194551,1194552,1194952,1194954,1199138
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-38155,CVE-2021-40085,CVE-2021-41182,CVE-2021-41183,CVE-2021-41184,CVE-2021-43813,CVE-2021-43818,CVE-2021-44716,CVE-2022-22815,CVE-2022-22816,CVE-2022-22817,CVE-2022-23451,CVE-2022-23452,CVE-2022-29970
JIRA References: SOC-11620,SOC-11621
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, rubygem-sinatra-1.4.6-4.3.1
SUSE OpenStack Cloud 9 (src):    ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1, grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, venv-openstack-barbican-7.0.1~dev24-3.35.2, venv-openstack-cinder-13.0.10~dev24-3.38.1, venv-openstack-designate-7.0.2~dev2-3.35.1, venv-openstack-glance-17.0.1~dev30-3.33.1, venv-openstack-heat-11.0.4~dev4-3.35.1, venv-openstack-horizon-14.1.1~dev11-4.39.1, venv-openstack-ironic-11.1.5~dev18-4.33.1, venv-openstack-keystone-14.2.1~dev9-3.36.1, venv-openstack-magnum-7.2.1~dev1-4.35.1, venv-openstack-manila-7.4.2~dev60-3.41.1, venv-openstack-monasca-2.7.1~dev10-3.37.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.35.1, venv-openstack-neutron-13.0.8~dev206-6.39.1, venv-openstack-nova-18.3.1~dev91-3.39.1, venv-openstack-octavia-3.2.3~dev7-4.35.1, venv-openstack-sahara-9.0.2~dev15-3.35.1, venv-openstack-swift-2.19.2~dev48-2.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Christian Almeida de Oliveira 2022-07-27 09:11:47 UTC 
added to the last MU, back to security team.