github - ghsa-5m9v-2hhc-h2wj

ghsa-5m9v-2hhc-h2wj

Vulnerability from github

Published

2022-03-11 00:02

Modified

2022-03-17 00:01

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.</p></div> </div> <a href="https://github.com/advisories/ghsa-5m9v-2hhc-h2wj" class="card-link" rel="noreferrer" target="_blank">Show details on source website</a> <br /><br /> <div class="btn-group" role="group"> <a role="button" class="btn btn-primary" data-bs-toggle="collapse" data-bs-target="#collapseJsonghsa-5m9v-2hhc-h2wj" aria-expanded="false" aria-controls="collapseJsonghsa-5m9v-2hhc-h2wj"> JSON <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </a> <div class="btn-group" role="group"> <button id="btnGroupDropShare" type="button" class="btn btn-primary" data-bs-toggle="dropdown" aria-expanded="false"> Share <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </button> <ul class="dropdown-menu" aria-labelledby="btnGroupDropShare"> <li><a class="dropdown-item" href="https://news.ycombinator.com/submitlink?u=https://cve.circl.lu/vuln/ghsa-5m9v-2hhc-h2wj&t=Vulnerability ghsa-5m9v-2hhc-h2wj" target="_blank" title="Share on Hacker News">Hacker News</a></li> <li><a class="dropdown-item" href="https://www.linkedin.com/shareArticle?mini=true&url=https://cve.circl.lu/vuln/ghsa-5m9v-2hhc-h2wj&title=Vulnerability ghsa-5m9v-2hhc-h2wj" target="_blank" title="Share on LinkedIn">LinkedIn</a></li> <li><a class="dropdown-item" href="https://mastodonshare.com/?text=Vulnerability ghsa-5m9v-2hhc-h2wj&url=https://cve.circl.lu/vuln/ghsa-5m9v-2hhc-h2wj" target="_blank" title="Share on Mastodon">Mastodon</a></li> <li><a class="dropdown-item" href="https://www.newspipe.org/bookmark/bookmarklet?href=https://cve.circl.lu/vuln/ghsa-5m9v-2hhc-h2wj&title=Vulnerability ghsa-5m9v-2hhc-h2wj" target="_blank" title="Share on Newspipe">Newspipe</a></li> <li><a class="dropdown-item" href="https://api.pinboard.in/v1/posts/add?url=https://cve.circl.lu/vuln/ghsa-5m9v-2hhc-h2wj&description=Vulnerability ghsa-5m9v-2hhc-h2wj" target="_blank" title="Share on Pinboard">Pinboard</a></li> <li><a class="dropdown-item" href="https://reddit.com/submit?link=https://cve.circl.lu/vuln/ghsa-5m9v-2hhc-h2wj&title=Vulnerability ghsa-5m9v-2hhc-h2wj" target="_blank" title="Share on Reddit">Reddit</a></li> </ul> </div> <a type="button" class="btn btn-primary" title="Copy to clipboard" aria-label="Copy to clipboard" onclick="copyToClipboard('ghsa-5m9v-2hhc-h2wj')" vuln-id="ghsa-5m9v-2hhc-h2wj" href="#">To clipboard</a> </div> <div class="collapse" id="collapseJsonghsa-5m9v-2hhc-h2wj"> <br /> <div class="card card-body"> <pre class="json-container" id="containerghsa-5m9v-2hhc-h2wj">{ "affected": [], "aliases": [ "CVE-2021-3660" ], "database_specific": { "cwe_ids": [ "CWE-1021" ], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2022-03-10T17:42:00Z", "severity": "MODERATE" }, "details": "Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an \u003ciFrame\u003e HTML entry. This may be used by a malicious website in clickjacking or similar attacks.", "id": "GHSA-5m9v-2hhc-h2wj", "modified": "2022-03-17T00:01:58Z", "published": "2022-03-11T00:02:32Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3660" }, { "type": "WEB", "url": "https://github.com/cockpit-project/cockpit/issues/16122" }, { "type": "WEB", "url": "https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2022:2008" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2021-3660" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1980688" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "type": "CVSS_V3" } ] }</pre> </div> </div> </div> </div> <br /> <ul class="nav nav-tabs" id="pageTab" role="tablist"> <li class="nav-item"> <button class="nav-link active" id="related-tab" data-bs-toggle="tab" data-bs-target="#related" role="tab" aria-controls="related" aria-selected="true" href="#related">Related vulnerabilities <span class="badge bg-primary rounded-pill">1</span></button> </li> <li class="nav-item"> <button class="nav-link" id="comments-tab" data-bs-toggle="tab" data-bs-target="#comments" role="tab" aria-controls="comments" aria-selected="false" onclick="loadComments()" href="#comments">Comments <span class="badge bg-primary rounded-pill" id="nb-comments">0</span></button> </li> <li class="nav-item"> <button class="nav-link" id="bundles-tab" data-bs-toggle="tab" data-bs-target="#bundles" role="tab" aria-controls="bundles" aria-selected="false" onclick="loadBundles()" href="#bundles">Bundles <span class="badge bg-primary rounded-pill" id="nb-bundles">0</span></button> </li> <li class="nav-item"> <button class="nav-link" id="sightings-tab" data-bs-toggle="tab" data-bs-target="#sightings" role="tab" aria-controls="sightings" aria-selected="false" onclick="loadSightings()" href="#sightings">Sightings <span class="badge bg-primary rounded-pill" id="nb-sightings">0</span></button> </li> </ul> <div class="tab-content" id="pageTabContent"> <div class="tab-pane fade show active" id="related" role="tabpanel" aria-labelledby="related-tab"> <br /> <div class="row"> <div class="col text-end"> <a class="icon-link" href="/recent/all.atom?vulnerability=ghsa-5m9v-2hhc-h2wj" type="application/atom+xml" title="Atom feed"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#rss"/> </svg> </a> <a class="icon-link" href="/recent/all.rss?vulnerability=ghsa-5m9v-2hhc-h2wj" type="application/atom+xml" title="RSS feed"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#rss-fill"/> </svg> </a> </div> </div> <div class="card"> <div class="card-body"> <h5 class="card-title"><a href="/vuln/cve-2021-3660">cve-2021-3660</a></h5> <h6 class="card-subtitle mb-2 text-body-secondary"> Vulnerability from <a href="https://github.com/CVEProject/cvelistV5" rel="noreferrer" target="_blank">cvelistv5</a> </h6> <div class="row"> <div class="col-md-2 fw-bold">Published</div><div class="col">2022-03-07 13:59</div> </div> <div class="row"> <div class="col-md-2 fw-bold">Modified</div><div class="col">2024-08-03 17:01</div> </div> <div class="row"> <div class="col-md-2 fw-bold" data-bs-toggle="tooltip" data-bs-placement="right" title="The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.">Severity <span style="color: green;">?</span></div> <div class="col"> </div> </div> <div class="row" hidden> <div class="col-md-2 fw-bold" data-bs-toggle="tooltip" data-bs-placement="left" title="Exploit Prediction Scoring System (EPSS) from FIRST. The EPSS score is representing the probability of exploitation in the wild in the next 30 days.">EPSS score <span style="color: green;">?</span></div> <div class="col"> <span id="epss-score"></span> <span id="epss-percentile" style="text-decoration:underline dotted" data-bs-toggle="tooltip" data-bs-placement="right" title="The percentile of the current score, the proportion of all scored vulnerabilities with the same or a lower EPSS score."></span> </div> </div> <div class="row"> <div class="col-md-2 fw-bold">Summary</div><div class="col">Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.</div> </div> <div class="row"> <div class="col-md-2 fw-bold">References</div> <div class="col"> <table class="table table-borderless table-hover"> <thead> <tr data-bs-toggle="collapse" data-bs-target="#collapseReferenceTablecve-2021-3660" aria-expanded="false" aria-controls="collapseReferenceTablecve-2021-3660"> <th scope="col" style="width: 20px;"><span class="chevron" >▼</span></th><th scope="col">URL</th><th scope="col">Tags</th> </tr> </thead> <tbody class="collapse" id="collapseReferenceTablecve-2021-3660"> <tr><td></td><td><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1980688" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1980688</a></td><td>x_refsource_MISC</td></tr> <tr><td></td><td><a href="https://github.com/cockpit-project/cockpit/issues/16122" rel="noreferrer" target="_blank">https://github.com/cockpit-project/cockpit/issues/16122</a></td><td>x_refsource_MISC</td></tr> <tr><td></td><td><a href="https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10" rel="noreferrer" target="_blank">https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10</a></td><td>x_refsource_MISC</td></tr> </table> </tbody> </div> </div> <div class="row"> <div class="col-md-2 fw-bold">Impacted products</div> <div class="col"> <table class="table table-borderless table-hover"> <thead> <tr> <th scope="col" style="width: 20px;"></th> <th scope="col">Vendor</th> <th scope="col">Product</th> <th scope="col">Version</th> </tr> </thead> <tbody>  <tr data-bs-toggle="collapse" data-bs-target="#collapseProductTablecve-2021-3660" aria-expanded="false" aria-controls="collapseProductTablecve-2021-3660"> <td><span class="chevron">▼</span></td> <td><a href="/search?vendor=n/a">n/a</a></td> <td><a href="/search?vendor=n/a&product=cockpit">cockpit</a></td> <td> <b>Version:</b> Fixed in cockpit v254 and later.<br /> </td> </tr>  <tr class="collapse" id="collapseProductTablecve-2021-3660"> <td colspan="4"> <table class="table table-borderless"> <tbody> </tbody> </table> </td> </tr> </tbody> </table> </div> </div> <a href="https://nvd.nist.gov/vuln/detail/cve-2021-3660" class="card-link" rel="noreferrer" target="_blank">Show details on NVD website</a> <br /><br /> <div class="btn-group" role="group"> <a role="button" class="btn btn-primary" data-bs-toggle="collapse" data-bs-target="#collapseJsoncve-2021-3660" aria-expanded="false" aria-controls="collapseJsoncve-2021-3660"> JSON <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </a> <div class="btn-group" role="group"> <button id="btnGroupDropShare" type="button" class="btn btn-primary" data-bs-toggle="dropdown" aria-expanded="false"> Share <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </button> <ul class="dropdown-menu" aria-labelledby="btnGroupDropShare"> <li><a class="dropdown-item" href="https://news.ycombinator.com/submitlink?u=https://cve.circl.lu/vuln/cve-2021-3660&t=Vulnerability cve-2021-3660" target="_blank" title="Share on Hacker News">Hacker News</a></li> <li><a class="dropdown-item" href="https://www.linkedin.com/shareArticle?mini=true&url=https://cve.circl.lu/vuln/cve-2021-3660&title=Vulnerability cve-2021-3660" target="_blank" title="Share on LinkedIn">LinkedIn</a></li> <li><a class="dropdown-item" href="https://mastodonshare.com/?text=Vulnerability cve-2021-3660&url=https://cve.circl.lu/vuln/cve-2021-3660" target="_blank" title="Share on Mastodon">Mastodon</a></li> <li><a class="dropdown-item" href="https://www.newspipe.org/bookmark/bookmarklet?href=https://cve.circl.lu/vuln/cve-2021-3660&title=Vulnerability cve-2021-3660" target="_blank" title="Share on Newspipe">Newspipe</a></li> <li><a class="dropdown-item" href="https://api.pinboard.in/v1/posts/add?url=https://cve.circl.lu/vuln/cve-2021-3660&description=Vulnerability cve-2021-3660" target="_blank" title="Share on Pinboard">Pinboard</a></li> <li><a class="dropdown-item" href="https://reddit.com/submit?link=https://cve.circl.lu/vuln/cve-2021-3660&title=Vulnerability cve-2021-3660" target="_blank" title="Share on Reddit">Reddit</a></li> </ul> </div> <a type="button" class="btn btn-primary" title="Copy to clipboard" aria-label="Copy to clipboard" onclick="copyToClipboard('cve-2021-3660')" vuln-id="cve-2021-3660" href="#">To clipboard</a> </div> <div class="collapse" id="collapseJsoncve-2021-3660"> <br /> <div class="card card-body"> <pre class="json-container" id="containercve-2021-3660">{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T17:01:08.335Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1980688" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/cockpit-project/cockpit/issues/16122" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "cockpit", "vendor": "n/a", "versions": [ { "status": "affected", "version": "Fixed in cockpit v254 and later." } ] } ], "descriptions": [ { "lang": "en", "value": "Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an \u003ciFrame\u003e HTML entry. This may be used by a malicious website in clickjacking or similar attacks." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1021", "description": "CWE-1021 - Improper Restriction of Rendered UI Layers or Frames", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-07T13:59:18", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1980688" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/cockpit-project/cockpit/issues/16122" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3660", "datePublished": "2022-03-07T13:59:18", "dateReserved": "2021-07-22T00:00:00", "dateUpdated": "2024-08-03T17:01:08.335Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }</pre> </div> </div> </div> </div> <br /> </div> <div class="tab-pane fade show" id="comments" role="tabpanel" aria-labelledby="comments-tab"> <br /> <div class="row"> <div class="col"> <p><a href="/user/login">Log in</a> or <a href="/user/signup">create an account</a> to share your comment.</p> </div> <div class="col text-end"> <a class="icon-link" href="/comments/feed.atom?vulnerability=ghsa-5m9v-2hhc-h2wj" type="application/atom+xml" title="Atom feed"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#rss"/> </svg> </a> <a class="icon-link" href="/comments/feed.rss?vulnerability=ghsa-5m9v-2hhc-h2wj" type="application/atom+xml" title="RSS feed"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#rss-fill"/> </svg> </a> </div> </div> <div class="collapse" id="newCommentghsa-5m9v-2hhc-h2wj"> <div class="row"> <div class="col-md-9"> <div id="editor"></div> </div> <div class="col"> <br /><br /><br /> <div class="card card-body my-3"> <h5>Tags</h5> <select class="form-multi-select" id="select-tags" size="9" multiple> <optgroup label="Exploitability" exclusive="true"> <option value="vulnerability:exploitability=industrialised">Industrialised</option> <option value="vulnerability:exploitability=customised">Customised</option> <option value="vulnerability:exploitability=documented">Documented</option> <option value="vulnerability:exploitability=theoretical">Theoretical</option> </optgroup> <optgroup label="Information" exclusive="false"> <option value="vulnerability:information=PoC">Proof-of-Concept</option> <option value="vulnerability:information=remediation">Remediation</option> <option value="vulnerability:information=annotation">Annotation</option> </optgroup> </select> <a href="https://www.misp-project.org/taxonomies.html#_vulnerability_3" rel="noreferrer" target="_blank">Taxonomy of the tags.</a> </div> <button class='btn btn-primary' id='savecomment' title="Save the comment">Save the comment</button> </div> </div> </div> <br /><br /> <div id="list-comments"> <div class="d-flex justify-content-center"> <div class="spinner-border" role="status"><span class="sr-only">Loading…</span></div> </div> </div> </div> <div class="tab-pane fade show" id="bundles" role="tabpanel" aria-labelledby="bundles-tab"> <br /> <div id="list-bundles"> <div class="d-flex justify-content-center"> <div class="spinner-border" role="status"><span class="sr-only">Loading…</span></div> </div> </div> </div> <div class="tab-pane fade show" id="sightings" role="tabpanel" aria-labelledby="sightings-tab"> <br /> <div class="row pb-3" id="sightings-pane-top"> <div class="col"> <a class="btn btn-primary" href="/sightings/?query=ghsa-5m9v-2hhc-h2wj">All sightings related to this event</a> <a class="btn btn-primary" href="/sightings/misp_export?vulnerability=ghsa-5m9v-2hhc-h2wj">Export sightings related to this event</a> </div> </div> <div id="chart-sightings"> <div class="d-flex justify-content-center"> <div class="spinner-border" role="status"><span class="sr-only">Loading…</span></div> </div> </div> <div id="sightingsChartContainer" class="chart-container pt-3"> <canvas id="sightingsChart" height="400"></canvas> </div> <div class="row"> <h3>Sightings</h3> <div class="table-responsive"> <table class="table"> <thead> <tr> <th scope="col">Author</th> <th scope="col">Source</th> <th scope="col">Type</th> <th scope="col">Date</th> </tr> </thead> <tbody id="sighting-table-body"></tbody> </table> </div> </div> <div id="chart-detailed-legend" class="row"> <h3>Nomenclature</h3> <div class="col-md-8"> <ul class="list-group list-group-flush"> <li class="list-group-item"><b>Seen</b>: The vulnerability was mentioned, discussed, or seen somewhere by the user.</li> <li class="list-group-item"><b>Confirmed</b>: The vulnerability is confirmed from an analyst perspective.</li> <li class="list-group-item"><b>Exploited</b>: This vulnerability was exploited and seen by the user reporting the sighting.</li> <li class="list-group-item"><b>Patched</b>: This vulnerability was successfully patched by the user reporting the sighting.</li> <li class="list-group-item"><b>Not exploited</b>: This vulnerability was not exploited or seen by the user reporting the sighting.</li> <li class="list-group-item"><b>Not confirmed</b>: The user expresses doubt about the veracity of the vulnerability.</li> <li class="list-group-item"><b>Not patched</b>: This vulnerability was not successfully patched by the user reporting the sighting.</li> </ul> </div> </div> </div> </div> <script> let easyMDE = null; let SCHEMA = null; let COMMENTS = {}; function openTabById(tabId) { const tabButton = document.querySelector(`button[data-bs-target="${tabId}"]`); if (tabButton) { const tab = new bootstrap.Tab(tabButton); tab.show(); } else { console.error(`Tab with ID ${tabId} not found.`); } } function getSelectValues(select) { var tags = []; var options = select && select.options; var opt; for (var i=0, iLen=options.length; i<iLen; i++) { opt = options[i]; if (opt.selected) { if (opt.parentNode.getAttribute("exclusive") == "true") { options1 = document.getElementById("select-tags").options; for (var j=0, jLen=options1.length; j<jLen; j++) { opt1 = options1[j]; if (opt1.parentNode.getAttribute("exclusive") == "true") { opt1.selected = false; } } opt.selected = true; } tags.push(opt.value || opt.text); } } var json = jsoneditor.getValue(); if (!("meta" in json)) { json["meta"] = [{"tags": tags}]; } else { json["meta"].forEach(function(value, index, array) { if ("tags" in value) { obj = {"tags": tags} json["meta"] = []; json["meta"] = [obj]; } }) } jsoneditor.setValue(json); } document.getElementById("select-tags").onclick= function (e) { getSelectValues(document.getElementById("select-tags")); }; function formatNumberWithPrecision(value, precision) { const formattedValue = parseFloat(value.toFixed(precision)); return formattedValue; } function RoundNumber(value) { return Math.round(value); } document.addEventListener("DOMContentLoaded", function() { // Enable tootips var tooltipTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="tooltip"]')) var tooltipList = tooltipTriggerList.map(function (tooltipTriggerEl) { return new bootstrap.Tooltip(tooltipTriggerEl) }) // Pretty print of JSON data in JSON containers var jsonContainers = document.querySelectorAll(".json-container"); Array.prototype.forEach.call(jsonContainers, function(jsonContainer) { jsonContainer.innerHTML = prettyPrintJson.toHtml(JSON.parse(jsonContainer.innerText)); }); // Open the tab specified with an anchor in the URL. const hash = window.location.hash; const tabButton = document.querySelector(`button[data-bs-target="${hash}"]`); if (tabButton) { const tab = new bootstrap.Tab(tabButton); tab.show(); selected_tab = tabButton.getAttribute("id"); switch (selected_tab) { case "comments-tab": loadComments(); break; case "bundles-tab": loadBundles(); break; case "sightings-tab": loadSightings(); break; default: openTabById("#related"); break; } } else { openTabById("#related"); } // Update the URL when a tab is clicked, for consistent behavior document.querySelectorAll('.nav-link[data-bs-toggle="tab"]').forEach(tabLink => { tabLink.addEventListener("shown.bs.tab", function(event) { history.replaceState(null, null, event.target.getAttribute("href")); }); }); // Retrieve the JSON schema for the comment and initialize the editor. fetch("/static/schemas/CIRCL/Security_Advisory_Comment.json") .then(response => response.json()) .then(result => { // initialize the JSON editor SCHEMA = result; initialize_editor(SCHEMA, {}); }).catch((error) => { console.error('Error:', error); }); // Retrieve the EPSS score epss_score_elem = document.getElementById("epss-score"); if (epss_score_elem) { fetch("/api/epss/ghsa-5m9v-2hhc-h2wj") .then(response => response.json()) .then(result => { if (result.total >= 1) { document.getElementById("epss-score").parentNode.parentNode.removeAttribute("hidden"); document.getElementById("epss-score").innerText = (result.data[0].epss * 100).toFixed(2) + "%"; document.getElementById("epss-percentile").innerText = "(" + formatNumberWithPrecision(Number(result.data[0].percentile), 5) + ")"; } else { document.getElementById("epss-score").parentNode.parentNode.remove(); } }).catch((error) => { console.error('Error:', error); document.getElementById("epss-score").parentNode.parentNode.remove(); }); } }) // End DOMContentLoaded listener if (document.getElementById("deleteVulnerability")) { document.getElementById("deleteVulnerability").onclick = function(event) { if (!confirm('You are going to delete the vulnerability. Are you sure?')) { return; } var csrf_token = "IjdiNmE1ZDVmYmE3ZTlkZjkwYWVlNmUxZmNlMmQzNGU0MDAyNzI2YjAi.Z27L2w.N03jqw-u0DLkv5cWJhEJJj3TdM4"; fetch("/api/vulnerability/ghsa-5m9v-2hhc-h2wj", { method: "DELETE", headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrf_token } }) .then(response => { if (!response.ok) { console.log(response); } else { window.location="/recent"; } }) .catch((error) => { console.log(error); }); }; } function addSighting(originalEvent, source) { const clickedItem = originalEvent.target; var csrf_token = "IjdiNmE1ZDVmYmE3ZTlkZjkwYWVlNmUxZmNlMmQzNGU0MDAyNzI2YjAi.Z27L2w.N03jqw-u0DLkv5cWJhEJJj3TdM4"; var json = {}; json["type"] = clickedItem.getAttribute("value"); json["vulnerability"] = "ghsa-5m9v-2hhc-h2wj"; json["source"] = source; data = JSON.stringify(json); fetch("/api/sighting/", { method: "POST", headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrf_token }, body: data }) .then(res => { if (!res.ok) { res.json().then(json => { document.getElementById("modal-error-text").innerText = "Problem when saving sighting."; var modal = new bootstrap.Modal(document.getElementById('modalError'), {}); modal.show(); }); } else { loadSightings(); showToast("Success", "Sighting added successfully!"); openTabById("#sightings"); } }) .catch((error) => { console.log(error); }); }; // Function to display the modal function showModal(title, message, confirmCallback, event) { // Get modal elements const modal = new bootstrap.Modal(document.getElementById('sightingModal')); const modalTitle = document.getElementById('sightingModalLabel'); const modalMessage = document.getElementById('modalMessage'); const confirmButton = document.getElementById('sightingModalConfirm'); const sourceInput = document.getElementById('sourceInput'); // Set modal title and body message modalTitle.textContent = title; modalMessage.textContent = message; // Clear previous input value sourceInput.value = ''; // Remove any previous click event to avoid duplication confirmButton.replaceWith(confirmButton.cloneNode(true)); // Attach new event listener for confirmation button document.getElementById('sightingModalConfirm').addEventListener('click', () => { const source = sourceInput.value.trim(); confirmCallback(event, source); // Pass the source to the callback modal.hide(); }); // Show the modal modal.show(); } // Attach click event listener to sightings list const sightings_list = document.getElementById('sighting-list'); if (sightings_list) { sightings_list.addEventListener('click', function (event) { showModal( 'New Sighting', 'Are you sure you want to add this sighting?', addSighting, event ); }); } document.getElementById("savecomment").addEventListener("click", function(event) { var csrf_token = "IjdiNmE1ZDVmYmE3ZTlkZjkwYWVlNmUxZmNlMmQzNGU0MDAyNzI2YjAi.Z27L2w.N03jqw-u0DLkv5cWJhEJJj3TdM4"; var json = jsoneditor.getValue(); json["description"] = easyMDE.value(); json["vulnerability"] = "ghsa-5m9v-2hhc-h2wj"; data = JSON.stringify(json); fetch("/api/comment/", { method: "POST", headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrf_token }, body: data }) .then(res => { if (!res.ok) { res.json().then(json => { document.getElementById("modal-error-text").innerText = json['message']; var modal = new bootstrap.Modal(document.getElementById('modalError'), {}); modal.show(); }); } else { // reinitializes the form window.jsoneditor.setValue({}); easyMDE.value(""); // collapse the view which is containing the form new bootstrap.Collapse(document.getElementById("newCommentghsa-5m9v-2hhc-h2wj")); // load the updated list of comments loadComments(); showToast("Success", "Comment added successfully!"); } }) .catch((error) => { console.log(error); }); }); function copyToClipboard(vuln_id) { const copyText = document.getElementById("container"+vuln_id).textContent; const textArea = document.createElement('textarea'); textArea.textContent = copyText; navigator.clipboard.writeText(textArea.value).then(function() { /* clipboard successfully set */ showToast("Success", "Content copied to your clipboard."); }, function() { /* clipboard write failed */ }); } function loadComments() { COMMENTS = {}; var DateTime = luxon.DateTime; var converter = new showdown.Converter({tables: true, moreStyling: true}); var commentTemplate = _.template( '<div class="card markdown-description">' + '<div class="card-body">' + '<h5 class="card-title"><a href="/comment/<%= uuid %>"><%= title %></a></h5>' + '<p class="card-title">' + '<% _.forEach(tags, function(tag) ' + '{ %><span class="badge bg-primary"><a class="link-light" href="/comments/?meta=%5B%7B%22tags%22%3A%20%5B%22<%= tag %>%22%5D%7D%5D"><%= tag %></a></span> <% }); %>' + '</p>' + '<h6 class="card-subtitle mb-2 text-body-secondary"><%= timestamp %> by <a href="/user/<%= author_login %>"><%= author_name %></a></h6>' + '<p class="card-text"><%= description %></p>' + '<div class="btn-group" role="group">' + '<a role="button" class="btn btn-primary" data-bs-toggle="collapse" data-bs-target="#collapseJsonComment<%= uuid %>" aria-expanded="false" aria-controls="collapseJsonComment<%= uuid %>">JSON</a>' + '</div>' + '<div class="collapse" id="collapseJsonComment<%= uuid %>"><br /><pre class="json-container"><%= comment %></pre></div>' + '</div></div>' ); fetch("/api/comment/?vuln_id=ghsa-5m9v-2hhc-h2wj") .then(response => response.json()) .then(result => { document.getElementById("list-comments").innerHTML = ""; document.getElementById("nb-comments").innerText = result.metadata.count; if (result.metadata.count == 0) { document.getElementById("list-comments").innerHTML = "<p>No comment for this vulnerability. Browse <a href='/comments'>all the comments</a>.</p>"; } result.data .sort(function (a, b) { return new Date(b.timestamp) - new Date(a.timestamp); }) .map(function (comment) { var author = comment.author delete comment.author; if (Array.isArray(comment["meta"]) && comment["meta"].length > 0) { var itemWithTags = comment.meta.find(item => item.tags); var tags = itemWithTags ? itemWithTags.tags : []; } else { var tags = []; } var cardHTML = commentTemplate({ 'comment': JSON.stringify(comment, null, 2), 'uuid': comment.uuid, 'title': comment.title, 'description': converter.makeHtml(comment.description), 'timestamp': DateTime.fromISO(comment.timestamp).toRelative(), 'author_name': author.name, 'author_login': author.login, 'tags': tags }); COMMENTS[comment.uuid] = comment; var element = document.createElement("div"); var element_br = document.createElement("br"); element.innerHTML = cardHTML; document.getElementById("list-comments").appendChild(element.firstChild); document.getElementById("list-comments").append(element_br); }) }) .then(_ => { setTimeout(() => { formatMarkdownOutput(); if (easyMDE === null) { easyMDE = new EasyMDE({ element: document.getElementById('root[description]'), autoRefresh: { delay: 300 }, toolbarButtonClassPrefix: "mde", toolbar: [ "bold", "italic", "heading", "|", "quote", "code", "table", "unordered-list", "ordered-list", "|", "link", "image", "|", "preview", "side-by-side", "fullscreen", "|" ] }); } }, 0); // 0ms delay still allows the browser to update the DOM return COMMENTS; }) .catch((error) => { console.error('Error:', error); }); } function initialize_editor(schema, json_object) { // Default starting schema if(!schema) { schema = {} } // Divs/textareas on the page var $schema = schema; var $output = document.getElementById('output'); var $editor = document.getElementById('editor'); // Default theme JSONEditor.defaults.options.theme = 'bootstrap5'; window.startval = json_object; var jsoneditor; var reload = function(keep_value) { var startval = (jsoneditor && keep_value)? jsoneditor.getValue() : window.startval; window.startval = undefined; if (jsoneditor) { jsoneditor.destroy(); } jsoneditor = new JSONEditor($editor, { // The schema for the editor schema: schema, // Remove collapse button disable_collapse: true, // Seed the form with a starting value startval: startval, // Enable fetching schemas via ajax ajax: true, // Disable additional properties no_additional_properties: false, // Require all properties by default required_by_default: true, show_opt_in: false, disable_edit_json: true, theme: "bootstrap5", object_background: document.documentElement.getAttribute("data-bs-theme") == "dark" ? "bg-dark" : "bg-light", }); window.jsoneditor = jsoneditor; // When the value of the editor changes, update the JSON output and validation message jsoneditor.on('change',function() { var json = jsoneditor.getValue(); }); }; // Start the schema and output textareas with initial values $schema.value = JSON.stringify(schema, null, 2); reload(); }; function loadBundles() { var DateTime = luxon.DateTime; var converter = new showdown.Converter({tables: true, moreStyling: true}); var bundleTemplate = _.template( '<div class="card markdown-description">' + '<div class="card-body">' + '<h5 class="card-title"><a href="/bundle/<%= uuid %>"><%= name %></a></h5>' + '<h6 class="card-subtitle mb-2 text-body-secondary"><%= timestamp %> by <a href="/user/<%= author_login %>"><%= author_name %></a></h6>' + '<p class="card-text"><%= description %></p>' + '<h5 class="card-text">Related vulnerabilities</h5>' + '<div class="card" >' + '<ul class="list-group list-group-flush">' + '<% _.forEach(related_vulnerabilities, function(vuln) ' + '{ %><li class="list-group-item"><a href="/vuln/<%= vuln %>"><%- vuln %></a></li><% }); %>' + '</ul>' + '</div>' + '</div>'); fetch("/api/bundle/?vuln_id=ghsa-5m9v-2hhc-h2wj") .then(response => response.json()) .then(result => { document.getElementById("list-bundles").innerHTML = "<p>Bundles referring to this vulnerability.</p>"; if (result.metadata.count == 0) { document.getElementById("list-bundles").innerHTML = "<p>This vulnerability is not linked to any bundle.</p>"; } result.data .sort(function (a, b) { return new Date(b.updated_at) - new Date(a.updated_at); }) .map(function (bundle) { var author = bundle.author delete bundle.author; var cardHTML = bundleTemplate({ 'uuid': bundle.uuid, 'name': bundle.name, 'description': converter.makeHtml(bundle.description), 'timestamp': DateTime.fromISO(bundle.timestamp).toRelative(), 'related_vulnerabilities': bundle.related_vulnerabilities.map(v => v.toLowerCase()), 'author_name': author.name, 'author_login': author.login }); var element = document.createElement("div"); var element_br = document.createElement("br"); element.innerHTML = cardHTML; document.getElementById("list-bundles").appendChild(element.firstChild); document.getElementById("list-bundles").append(element_br); }) }) .then(_ => { setTimeout(() => { formatMarkdownOutput(); }, 0); // 0ms delay still allows the browser to update the DOM }) .catch((error) => { console.error('Error:', error); }); }; function loadSightings() { fetch("/api/sighting/?vuln_id=ghsa-5m9v-2hhc-h2wj&date_from=1970-01-01") .then(response => response.json()) .then(result => { document.getElementById("nb-sightings").innerText = result.metadata.count; if (result.metadata.count == 0) { document.getElementById("sightings-pane-top").style.display = 'none'; document.getElementById("chart-sightings").innerHTML = "<p>No sightings for this vulnerability.</p>"; document.getElementById("sightingsChartContainer").style.display = 'none'; document.getElementById("chart-detailed-legend").style.display = 'none'; } else{ drawBarChart(result.data); document.getElementById("sightings-pane-top").style.display = 'block'; document.getElementById("chart-sightings").innerHTML = "<h3>Evolution of sightings over time</h3>"; document.getElementById("sightingsChartContainer").style.display = 'block'; document.getElementById("chart-detailed-legend").style.display = 'block'; // clear the table const tableBody = document.getElementById("sighting-table-body"); while (tableBody.firstChild) { tableBody.removeChild(tableBody.firstChild); } result.data .sort(function (a, b) { return new Date(b.creation_timestamp) - new Date(a.creation_timestamp); }) .map(function (sighting) { const row = document.createElement('tr'); // Create a table row // Create and append the Author cell const authorCell = document.createElement('td'); // authorCell.textContent = sighting.author.login; authorCell.innerHTML = '<a href="/user/'+sighting.author.login+'">'+sighting.author.login+'</a>'; row.appendChild(authorCell); // Create and append the Source cell const sourceCell = document.createElement('td'); if (isValidURL(sighting.source)) { sourceCell.innerHTML = '<a href="'+sighting.source+'" rel="noreferrer" target="_blank">'+sighting.source+'</a>'; } else { sourceCell.textContent = sighting.source; } row.appendChild(sourceCell); // Create and append the Type cell const typeCell = document.createElement('td'); typeCell.textContent = sighting.type; row.appendChild(typeCell); // Create and append the Date cell const dateCell = document.createElement('td'); dateCell.classList.add('datetime'); dateCell.textContent = sighting.creation_timestamp; dateCell.title = sighting.creation_timestamp; row.appendChild(dateCell); document.getElementById("sighting-table-body").appendChild(row); }) var DateTime = luxon.DateTime; elements = document.getElementsByClassName("datetime"); Array.prototype.forEach.call(elements, function(element) { element.textContent = DateTime.fromISO(element.textContent).toRelative() }); } }) .catch((error) => { console.error('Error:', error); }); }; document.getElementById("btnThemeSwitch").addEventListener("click",()=>{ if (document.documentElement.getAttribute("data-bs-theme") == "dark") { Array.from(document.getElementsByClassName("card")).forEach(container => { container.classList.remove("bg-dark"); container.classList.add("bg-light"); }); } else { Array.from(document.getElementsByClassName("card")).forEach(container => { container.classList.remove("bg-light"); container.classList.add("bg-dark"); }); } }) </script> </div> </main> <footer class="footer bg-light"> <div class="container"> <div class="row"> <div class="col d-none d-md-block"> <div class="d-flex justify-content-start"> <span class="text-muted"><a href="https://www.circl.lu" rel="noreferrer" target="_blank">Computer Incident Response Center Luxembourg (CIRCL)</a></span> </div> </div> <div class="col"> <div class="d-flex justify-content-end"> <a class="text-end d-none d-md-block" href="https://vulnerability.circl.lu/dumps/">Dumps</a>   <a class="text-end" href="/users/">Contributors</a>   <a class="text-end" href="/documentation/">Documentation</a>   <a class="text-end" href="/api/">API</a>   <a class="text-end" href="/about">About</a>   <a class="text-end" href="https://github.com/cve-search/vulnerability-lookup" title="Source code of Vulnerability-Lookup" target="_blank"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#github"/> </svg> </a> </div> </div> </div> </div> </footer>  <script src="/bootstrap/static/umd/popper.min.js"></script> <script src="/bootstrap/static/js/bootstrap.min.js"></script> <script> if (getCookie("theme") == 'light') { document.getElementById('btnThemeSwitch').innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-moon-stars-fill" viewBox="0 0 16 16"><path d="M6 .278a.77.77 0 0 1 .08.858 7.2 7.2 0 0 0-.878 3.46c0 4.021 3.278 7.277 7.318 7.277q.792-.001 1.533-.16a.79.79 0 0 1 .81.316.73.73 0 0 1-.031.893A8.35 8.35 0 0 1 8.344 16C3.734 16 0 12.286 0 7.71 0 4.266 2.114 1.312 5.124.06A.75.75 0 0 1 6 .278"/><path d="M10.794 3.148a.217.217 0 0 1 .412 0l.387 1.162c.173.518.579.924 1.097 1.097l1.162.387a.217.217 0 0 1 0 .412l-1.162.387a1.73 1.73 0 0 0-1.097 1.097l-.387 1.162a.217.217 0 0 1-.412 0l-.387-1.162A1.73 1.73 0 0 0 9.31 6.593l-1.162-.387a.217.217 0 0 1 0-.412l1.162-.387a1.73 1.73 0 0 0 1.097-1.097zM13.863.099a.145.145 0 0 1 .274 0l.258.774c.115.346.386.617.732.732l.774.258a.145.145 0 0 1 0 .274l-.774.258a1.16 1.16 0 0 0-.732.732l-.258.774a.145.145 0 0 1-.274 0l-.258-.774a1.16 1.16 0 0 0-.732-.732l-.774-.258a.145.145 0 0 1 0-.274l.774-.258c.346-.115.617-.386.732-.732z"/></svg>'; document.getElementById('vulnerability-lookup-logo').src = '/static/img/VL-hori-coul.png'; document.getElementById('btnThemeSwitch').setAttribute('title', 'Switch to dark theme'); } else { document.getElementById('btnThemeSwitch').innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-sun-fill" viewBox="0 0 16 16"><path d="M8 12a4 4 0 1 0 0-8 4 4 0 0 0 0 8M8 0a.5.5 0 0 1 .5.5v2a.5.5 0 0 1-1 0v-2A.5.5 0 0 1 8 0m0 13a.5.5 0 0 1 .5.5v2a.5.5 0 0 1-1 0v-2A.5.5 0 0 1 8 13m8-5a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1 0-1h2a.5.5 0 0 1 .5.5M3 8a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1 0-1h2A.5.5 0 0 1 3 8m10.657-5.657a.5.5 0 0 1 0 .707l-1.414 1.415a.5.5 0 1 1-.707-.708l1.414-1.414a.5.5 0 0 1 .707 0m-9.193 9.193a.5.5 0 0 1 0 .707L3.05 13.657a.5.5 0 0 1-.707-.707l1.414-1.414a.5.5 0 0 1 .707 0m9.193 2.121a.5.5 0 0 1-.707 0l-1.414-1.414a.5.5 0 0 1 .707-.707l1.414 1.414a.5.5 0 0 1 0 .707M4.464 4.465a.5.5 0 0 1-.707 0L2.343 3.05a.5.5 0 1 1 .707-.707l1.414 1.414a.5.5 0 0 1 0 .708"/></svg>'; document.getElementById('vulnerability-lookup-logo').src = '/static/img/VL-hori-white-coul.png'; document.getElementById('btnThemeSwitch').setAttribute('title', 'Switch to light theme'); } document.addEventListener("DOMContentLoaded", function() { document.getElementById('btnThemeSwitch').addEventListener('click',()=>{ if (document.documentElement.getAttribute('data-bs-theme') == 'dark') { document.documentElement.setAttribute('data-bs-theme','light') document.getElementById('btnThemeSwitch').innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-moon-stars-fill" viewBox="0 0 16 16"><path d="M6 .278a.77.77 0 0 1 .08.858 7.2 7.2 0 0 0-.878 3.46c0 4.021 3.278 7.277 7.318 7.277q.792-.001 1.533-.16a.79.79 0 0 1 .81.316.73.73 0 0 1-.031.893A8.35 8.35 0 0 1 8.344 16C3.734 16 0 12.286 0 7.71 0 4.266 2.114 1.312 5.124.06A.75.75 0 0 1 6 .278"/><path d="M10.794 3.148a.217.217 0 0 1 .412 0l.387 1.162c.173.518.579.924 1.097 1.097l1.162.387a.217.217 0 0 1 0 .412l-1.162.387a1.73 1.73 0 0 0-1.097 1.097l-.387 1.162a.217.217 0 0 1-.412 0l-.387-1.162A1.73 1.73 0 0 0 9.31 6.593l-1.162-.387a.217.217 0 0 1 0-.412l1.162-.387a1.73 1.73 0 0 0 1.097-1.097zM13.863.099a.145.145 0 0 1 .274 0l.258.774c.115.346.386.617.732.732l.774.258a.145.145 0 0 1 0 .274l-.774.258a1.16 1.16 0 0 0-.732.732l-.258.774a.145.145 0 0 1-.274 0l-.258-.774a1.16 1.16 0 0 0-.732-.732l-.774-.258a.145.145 0 0 1 0-.274l.774-.258c.346-.115.617-.386.732-.732z"/></svg>'; document.getElementById('vulnerability-lookup-logo').src = '/static/img/VL-hori-coul.png'; document.getElementById('btnThemeSwitch').setAttribute('title', 'Switch to dark theme'); document.cookie = "theme=light; path=/; SameSite=Strict"; } else { document.documentElement.setAttribute('data-bs-theme','dark'); document.getElementById('btnThemeSwitch').innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-sun-fill" viewBox="0 0 16 16"><path d="M8 12a4 4 0 1 0 0-8 4 4 0 0 0 0 8M8 0a.5.5 0 0 1 .5.5v2a.5.5 0 0 1-1 0v-2A.5.5 0 0 1 8 0m0 13a.5.5 0 0 1 .5.5v2a.5.5 0 0 1-1 0v-2A.5.5 0 0 1 8 13m8-5a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1 0-1h2a.5.5 0 0 1 .5.5M3 8a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1 0-1h2A.5.5 0 0 1 3 8m10.657-5.657a.5.5 0 0 1 0 .707l-1.414 1.415a.5.5 0 1 1-.707-.708l1.414-1.414a.5.5 0 0 1 .707 0m-9.193 9.193a.5.5 0 0 1 0 .707L3.05 13.657a.5.5 0 0 1-.707-.707l1.414-1.414a.5.5 0 0 1 .707 0m9.193 2.121a.5.5 0 0 1-.707 0l-1.414-1.414a.5.5 0 0 1 .707-.707l1.414 1.414a.5.5 0 0 1 0 .707M4.464 4.465a.5.5 0 0 1-.707 0L2.343 3.05a.5.5 0 1 1 .707-.707l1.414 1.414a.5.5 0 0 1 0 .708"/></svg>'; document.getElementById('vulnerability-lookup-logo').src = '/static/img/VL-hori-white-coul.png'; document.getElementById('btnThemeSwitch').setAttribute('title', 'Switch to light theme'); document.cookie = "theme=dark; path=/; SameSite=Strict"; } }) }); </script> </body> </html>

Action not permitted

ghsa-5m9v-2hhc-h2wj

Vulnerability from github