Bug 1171439 (CVE-2020-8020) - VUL-0: CVE-2020-8020: obs-server: persistent XSS in markdown parser
Summary: VUL-0: CVE-2020-8020: obs-server: persistent XSS in markdown parser
Status: RESOLVED FIXED
Alias: CVE-2020-8020
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-11 09:17 UTC by Marcus Meissner
Modified: 2020-11-19 16:32 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Victor Pereira 2020-05-11 13:07:36 UTC
The problem is in our custom render https://github.com/openSUSE/open-build-service/blob/master/src/api/lib/obsapi/markdown_renderer.rb.

Basing it on https://www.rubydoc.info/github/vmg/redcarpet/Redcarpet/Render/Safe instead of `Redcarpet::Render::HTML` fixes the problem
Comment 5 Victor Pereira 2020-05-13 11:54:22 UTC
Patches are in place, fixed with PR https://github.com/openSUSE/open-build-service/pull/9546. Working now on the backport for our Appliance.
Comment 8 Victor Pereira 2020-06-11 12:47:19 UTC
The patches are applied and backported to our appliances. From our side, the issue could be closed.
Comment 9 Alexandros Toptsoglou 2020-08-04 11:52:43 UTC
Done
Comment 10 Wolfgang Frisch 2020-11-19 16:32:40 UTC
*** Bug 1178880 has been marked as a duplicate of this bug. ***