Bug 1204741 (CVE-2022-43754)

Summary: VUL-0: CVE-2022-43754: SUMA/UYUNI reflected cross site scripting in /rhn/audit/scap/Search.do
Product: [Novell Products] SUSE Security Incidents Reporter: Paolo Perego <paolo.perego>
Component: IncidentsAssignee: Kevin Walter <kwalter>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: amehmood, bmaryniuk, galaxy-bugs, gianluca.gabrielli, jack.hodge, jcayouette, jgonzalez, johannes.hahn, kwalter, mark.vangool, mc, mchiaradia, michael.brookhuis, oholecek, paolo.perego, parlt, samuel.snow
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2022-43754:3.0:(AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1201713    

Description Paolo Perego 2022-10-26 10:49:16 UTC 
During a SUMA/UYUNI audit, a stored cross-site scripting vulnerability it has been found on the /rhn/audit/scap/Search.do page.

In the "Search XCCDF Rules For:" text field, the attacker can inject malicious javascript code by using "/> as prefix and then the arbitrary js (e.g. "/><script>alert(1)</script>.

The injected code is copied in the HTML without sanitization, in the alert and messages portion of the page. The "/> sequence is needed to trigger the error and then having the js code to be copied in the output page.

Here it is the evil payload in the result page:

         <!-- Alerts and messages -->
          
            <div class="alert alert-warning">
              <ul>
              
                <li>Could not parse query '"/><script>alert(1)</script>'.</li>
              
              </ul>
            </div>

Please note that this attack is possible only on a successful POST request on an authenticated session. This limits the severity of the issue itself.

CVSS is 3.0: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

I marked confidentiality low because pxt-session-cookie and JSESSIONID cookies are HttpOnly and secure. So even the exposure is limited.


Mitigation:
Some form of filtering and HTML character escaping must be performed on every input field.
Comment 5 Johannes Segitz 2022-10-26 11:05:53 UTC 
Please use CVE-2022-43754 for this
Comment 10 OBSbugzilla Bot 2022-10-31 15:19:50 UTC 
This is an autogenerated message for IBS integration:
This bug (1204741) was mentioned in
https://build.suse.de/request/show/283450 SLE-15-SP4:Manager43 / spacewalk-java-SP4_Update_Products_Manager43
https://build.suse.de/request/show/283451 SLE-15-SP3:Manager42 / spacewalk-java-SP3_Update_Products_Manager42
https://build.suse.de/request/show/283458 SLE-15-SP3 / release-notes-susemanager+release-notes-susemanager-proxy
Comment 11 Paolo Perego 2022-11-04 16:11:32 UTC 
Fixed versions: SUMA 4.3.2, 4.2.10 and Uyuni-2022.10
Comment 12 Swamp Workflow Management 2022-11-04 17:30:20 UTC 
SUSE-SU-2022:3880-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    spacewalk-java-4.3.39-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-11-04 17:32:38 UTC 
SUSE-SU-2022:3878-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (critical)
Bug References: 1195624,1197724,1199726,1200596,1201059,1201788,1202167,1202729,1202785,1203283,1203406,1203422,1203564,1203599,1203611,1203898,1204146,1204203,1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    hub-xmlrpc-api-0.7-150300.3.9.2, inter-server-sync-0.2.4-150300.8.25.2, locale-formula-0.3-150300.3.3.2, py27-compat-salt-3000.3-150300.7.7.26.2, python-urlgrabber-3.10.2.1py2_3-150300.3.3.2, spacecmd-4.2.20-150300.4.30.2, spacewalk-backend-4.2.25-150300.4.32.4, spacewalk-client-tools-4.2.21-150300.4.27.3, spacewalk-java-4.2.43-150300.3.48.2, spacewalk-utils-4.2.18-150300.3.21.2, spacewalk-web-4.2.30-150300.3.30.3, susemanager-4.2.38-150300.3.44.3, susemanager-doc-indexes-4.2-150300.12.36.3, susemanager-docs_en-4.2-150300.12.36.2, susemanager-schema-4.2.25-150300.3.30.3, susemanager-sls-4.2.28-150300.3.36.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-11-04 17:39:30 UTC 
SUSE-SU-2022:3879-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (critical)
Bug References: 1195624,1197724,1199726,1200596,1201059,1201788,1202167,1202729,1202785,1203283,1203406,1203422,1203564,1203599,1203611,1203898,1204146,1204203,1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Manager Server 4.2 (src):    release-notes-susemanager-4.2.10-150300.3.57.1
SUSE Manager Retail Branch Server 4.2 (src):    release-notes-susemanager-proxy-4.2.10-150300.3.46.1
SUSE Manager Proxy 4.2 (src):    release-notes-susemanager-proxy-4.2.10-150300.3.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.