Bugzilla – Bug 1171439
VUL-0: CVE-2020-8020: obs-server: persistent XSS in markdown parser
Last modified: 2020-11-19 16:32:40 UTC
The problem is in our custom render https://github.com/openSUSE/open-build-service/blob/master/src/api/lib/obsapi/markdown_renderer.rb. Basing it on https://www.rubydoc.info/github/vmg/redcarpet/Redcarpet/Render/Safe instead of `Redcarpet::Render::HTML` fixes the problem
Patches are in place, fixed with PR https://github.com/openSUSE/open-build-service/pull/9546. Working now on the backport for our Appliance.
https://github.com/openSUSE/open-build-service/commit/7cc32c8e2ff7290698e101d9a80a9dc29a5500fb
The patches are applied and backported to our appliances. From our side, the issue could be closed.
Done
*** Bug 1178880 has been marked as a duplicate of this bug. ***