Bug 1204741 - (CVE-2022-43754) VUL-0: CVE-2022-43754: SUMA/UYUNI reflected cross site scripting in /rhn/audit/scap/Search.do
(CVE-2022-43754)
VUL-0: CVE-2022-43754: SUMA/UYUNI reflected cross site scripting in /rhn/audi...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Kevin Walter
Security Team bot
CVSSv3.1:SUSE:CVE-2022-43754:3.0:(AV:...
:
Depends on:
Blocks: 1201713
  Show dependency treegraph
 
Reported: 2022-10-26 10:49 UTC by Paolo Perego
Modified: 2022-11-04 17:39 UTC (History)
17 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paolo Perego 2022-10-26 10:49:16 UTC
During a SUMA/UYUNI audit, a stored cross-site scripting vulnerability it has been found on the /rhn/audit/scap/Search.do page.

In the "Search XCCDF Rules For:" text field, the attacker can inject malicious javascript code by using "/> as prefix and then the arbitrary js (e.g. "/><script>alert(1)</script>.

The injected code is copied in the HTML without sanitization, in the alert and messages portion of the page. The "/> sequence is needed to trigger the error and then having the js code to be copied in the output page.

Here it is the evil payload in the result page:

         <!-- Alerts and messages -->
          
            <div class="alert alert-warning">
              <ul>
              
                <li>Could not parse query '"/><script>alert(1)</script>'.</li>
              
              </ul>
            </div>

Please note that this attack is possible only on a successful POST request on an authenticated session. This limits the severity of the issue itself.

CVSS is 3.0: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

I marked confidentiality low because pxt-session-cookie and JSESSIONID cookies are HttpOnly and secure. So even the exposure is limited.


Mitigation:
Some form of filtering and HTML character escaping must be performed on every input field.
Comment 5 Johannes Segitz 2022-10-26 11:05:53 UTC
Please use CVE-2022-43754 for this
Comment 10 OBSbugzilla Bot 2022-10-31 15:19:50 UTC
This is an autogenerated message for IBS integration:
This bug (1204741) was mentioned in
https://build.suse.de/request/show/283450 SLE-15-SP4:Manager43 / spacewalk-java-SP4_Update_Products_Manager43
https://build.suse.de/request/show/283451 SLE-15-SP3:Manager42 / spacewalk-java-SP3_Update_Products_Manager42
https://build.suse.de/request/show/283458 SLE-15-SP3 / release-notes-susemanager+release-notes-susemanager-proxy
Comment 11 Paolo Perego 2022-11-04 16:11:32 UTC
Fixed versions: SUMA 4.3.2, 4.2.10 and Uyuni-2022.10
Comment 12 Swamp Workflow Management 2022-11-04 17:30:20 UTC
SUSE-SU-2022:3880-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    spacewalk-java-4.3.39-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-11-04 17:32:38 UTC
SUSE-SU-2022:3878-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (critical)
Bug References: 1195624,1197724,1199726,1200596,1201059,1201788,1202167,1202729,1202785,1203283,1203406,1203422,1203564,1203599,1203611,1203898,1204146,1204203,1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    hub-xmlrpc-api-0.7-150300.3.9.2, inter-server-sync-0.2.4-150300.8.25.2, locale-formula-0.3-150300.3.3.2, py27-compat-salt-3000.3-150300.7.7.26.2, python-urlgrabber-3.10.2.1py2_3-150300.3.3.2, spacecmd-4.2.20-150300.4.30.2, spacewalk-backend-4.2.25-150300.4.32.4, spacewalk-client-tools-4.2.21-150300.4.27.3, spacewalk-java-4.2.43-150300.3.48.2, spacewalk-utils-4.2.18-150300.3.21.2, spacewalk-web-4.2.30-150300.3.30.3, susemanager-4.2.38-150300.3.44.3, susemanager-doc-indexes-4.2-150300.12.36.3, susemanager-docs_en-4.2-150300.12.36.2, susemanager-schema-4.2.25-150300.3.30.3, susemanager-sls-4.2.28-150300.3.36.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-11-04 17:39:30 UTC
SUSE-SU-2022:3879-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (critical)
Bug References: 1195624,1197724,1199726,1200596,1201059,1201788,1202167,1202729,1202785,1203283,1203406,1203422,1203564,1203599,1203611,1203898,1204146,1204203,1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Manager Server 4.2 (src):    release-notes-susemanager-4.2.10-150300.3.57.1
SUSE Manager Retail Branch Server 4.2 (src):    release-notes-susemanager-proxy-4.2.10-150300.3.46.1
SUSE Manager Proxy 4.2 (src):    release-notes-susemanager-proxy-4.2.10-150300.3.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.