[ALAS2-2020-1519] Amazon Linux 2 2017.12 - ALAS2-2020-1519: medium priority package update for ipa
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2020-1722:
A flaw was found in IPA. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.
1793071: CVE-2020-1722 ipa: No password length restriction leads to denial of service
CVE-2020-11022:
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the 'HTML' function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
1828406: CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
CVE-2019-8331:
A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.
1686454: CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
CVE-2019-11358:
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the extend function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
1701972: CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
CVE-2018-20677:
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
1668089: CVE-2018-20677 bootstrap: XSS in the affix configuration target property
CVE-2018-20676:
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
1668082: CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
CVE-2018-14042:
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
1601617: CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip.
CVE-2018-14040:
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
1601614: CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
CVE-2016-10735:
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
1668097: CVE-2016-10735 bootstrap: XSS in the data-target attribute
CVE-2015-9251:
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
1399546: CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests
- ID
- ALAS2-2020-1519
- Severity
- medium
- URL
- https://alas.aws.amazon.com/AL2/ALAS-2020-1519.html
- Published
-
2020-10-22T17:40:00
(3 years ago) - Modified
-
2020-10-22T22:35:00
(3 years ago) - Rights
- Amazon Linux Security Team
- Other Advisories
-
-
ALAS-2020-1422
-
ALAS2-2023-1905
-
ALPINE:CVE-2015-9251
-
ALPINE:CVE-2019-11358
-
ALPINE:CVE-2020-11022
-
ALSA-2020:4670
-
ALSA-2020:4847
-
ASA-201906-2
-
ASA-201910-4
-
DSA-4434-1
-
DSA-4460-1
-
DSA-4693-1
-
ELSA-2020-3936
-
ELSA-2022-7343
-
ELSA-2022-9177
-
FEDORA-2019-040857fd75
-
FEDORA-2019-1a3edd7e8a
-
FEDORA-2019-2a0ce0c58c
-
FEDORA-2019-41d6ffd6f0
-
FEDORA-2019-5f1a2cc839
-
FEDORA-2019-7eaf0bbe7c
-
FEDORA-2019-84a50e34a9
-
FEDORA-2019-a06dffab1c
-
FEDORA-2019-eba8e44ee6
-
FEDORA-2019-f563e66380
-
FEDORA-2020-0b32a59b54
-
FEDORA-2020-11be4b36d4
-
FEDORA-2020-36d2db5f51
-
FEDORA-2020-7dddce530c
-
FEDORA-2020-8a15713da2
-
FEDORA-2020-fbb94073a1
-
FEDORA-2020-fe94df8c34
-
FREEBSD:1FB13175-ED52-11EA-8B93-001B217B3468
-
FREEBSD:3C5A4FE0-9EBB-11E9-9169-FCAA147E860E
-
FREEBSD:416CA0F4-3FE0-11E9-BBDD-6805CA0B3D42
-
FREEBSD:81FCC2F9-E15A-11E9-ABBF-800DD28B22BD
-
FREEBSD:CD2DC126-CFE4-11EA-9172-4C72B94353B5
-
FREEBSD:ED8D5535-CA78-11E9-980B-999FF59C22EA
-
FREEBSD:FFC73E87-87F0-11E9-AD56-FCAA147E860E
-
GLSA-202007-03
-
MAVEN:GHSA-3MGP-FX93-9XV5
-
MAVEN:GHSA-3WQF-4X89-9G79
-
MAVEN:GHSA-4P24-VMCR-4GQJ
-
MAVEN:GHSA-6C3J-C64M-QHGQ
-
MAVEN:GHSA-7MVR-5X2G-WFC8
-
MAVEN:GHSA-9V3M-8FP8-MJ99
-
MAVEN:GHSA-GXR4-XJJ5-5PX2
-
MAVEN:GHSA-PH58-4VRJ-W6HR
-
MAVEN:GHSA-RMXG-73GG-4P98
-
NPM:GHSA-3MGP-FX93-9XV5
-
NPM:GHSA-3WQF-4X89-9G79
-
NPM:GHSA-4P24-VMCR-4GQJ
-
NPM:GHSA-6C3J-C64M-QHGQ
-
NPM:GHSA-7MVR-5X2G-WFC8
-
NPM:GHSA-9V3M-8FP8-MJ99
-
NPM:GHSA-GXR4-XJJ5-5PX2
-
NPM:GHSA-PH58-4VRJ-W6HR
-
NPM:GHSA-RMXG-73GG-4P98
-
openSUSE-SU-2019:1839-1
-
openSUSE-SU-2019:1872-1
-
openSUSE-SU-2020:0395-1
-
openSUSE-SU-2020:1060-1
-
openSUSE-SU-2020:1106-1
-
openSUSE-SU-2020:1888-1
-
RHSA-2020:3936
-
RHSA-2020:4670
-
RHSA-2020:4847
-
RHSA-2021:4142
-
RHSA-2022:7343
-
RLSA-2020:4670
-
RLSA-2020:4847
-
RUBYSEC:BOOTSTRAP-2016-10735
-
RUBYSEC:BOOTSTRAP-2018-14040
-
RUBYSEC:BOOTSTRAP-2018-14042
-
RUBYSEC:BOOTSTRAP-2018-20676
-
RUBYSEC:BOOTSTRAP-2018-20677
-
RUBYSEC:BOOTSTRAP-2019-8331
-
RUBYSEC:BOOTSTRAP-SASS-2016-10735
-
RUBYSEC:BOOTSTRAP-SASS-2018-14040
-
RUBYSEC:BOOTSTRAP-SASS-2018-14042
-
RUBYSEC:BOOTSTRAP-SASS-2018-20676
-
RUBYSEC:BOOTSTRAP-SASS-2018-20677
-
RUBYSEC:BOOTSTRAP-SASS-2019-8331
-
RUBYSEC:JQUERY-RAILS-2015-9251
-
RUBYSEC:JQUERY-RAILS-2019-11358
-
RUBYSEC:JQUERY-RAILS-2020-11022
-
RUBYSEC:TWITTER-BOOTSTRAP-RAILS-2019-8331
-
SUSE-SU-2020:0737-1
-
SUSE-SU-2020:2292-1
-
SUSE-SU-2020:2373-1
-
SUSE-SU-2020:2650-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| CVE | CVE-2015-9251 |
|
|
| CVE | CVE-2016-10735 |
|
|
| CVE | CVE-2018-14040 |
|
|
| CVE | CVE-2018-14042 |
|
|
| CVE | CVE-2018-20676 |
|
|
| CVE | CVE-2018-20677 |
|
|
| CVE | CVE-2019-11358 |
|
|
| CVE | CVE-2019-8331 |
|
|
| CVE | CVE-2020-11022 |
|
|
| CVE | CVE-2020-1722 |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:rpm/amazonlinux/python2-ipaserver?arch=noarch&distro=amazonlinux-2 | amazonlinux |
 python2-ipaserver
|
< 4.6.8-5.amzn2 | amazonlinux-2 | noarch | |
| Affected | pkg:rpm/amazonlinux/python2-ipalib?arch=noarch&distro=amazonlinux-2 | amazonlinux |
python2-ipalib
|
< 4.6.8-5.amzn2 | amazonlinux-2 | noarch | |
| Affected | pkg:rpm/amazonlinux/python2-ipaclient?arch=noarch&distro=amazonlinux-2 | amazonlinux |
python2-ipaclient
|
< 4.6.8-5.amzn2 | amazonlinux-2 | noarch | |
| Affected | pkg:rpm/amazonlinux/ipa-server?arch=x86_64&distro=amazonlinux-2 | amazonlinux |
ipa-server
|
< 4.6.8-5.amzn2 | amazonlinux-2 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/ipa-server?arch=i686&distro=amazonlinux-2 | amazonlinux |
ipa-server
|
< 4.6.8-5.amzn2 | amazonlinux-2 | i686 | |
| Affected | pkg:rpm/amazonlinux/ipa-server?arch=aarch64&distro=amazonlinux-2 | amazonlinux |
ipa-server
|
< 4.6.8-5.amzn2 | amazonlinux-2 | aarch64 | |
| Affected | pkg:rpm/amazonlinux/ipa-server-trust-ad?arch=x86_64&distro=amazonlinux-2 | amazonlinux |
ipa-server-trust-ad
|
< 4.6.8-5.amzn2 | amazonlinux-2 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/ipa-server-trust-ad?arch=i686&distro=amazonlinux-2 | amazonlinux |
ipa-server-trust-ad
|
< 4.6.8-5.amzn2 | amazonlinux-2 | i686 | |
| Affected | pkg:rpm/amazonlinux/ipa-server-trust-ad?arch=aarch64&distro=amazonlinux-2 | amazonlinux |
ipa-server-trust-ad
|
< 4.6.8-5.amzn2 | amazonlinux-2 | aarch64 | |
| Affected | pkg:rpm/amazonlinux/ipa-server-dns?arch=noarch&distro=amazonlinux-2 | amazonlinux |
ipa-server-dns
|
< 4.6.8-5.amzn2 | amazonlinux-2 | noarch | |
| Affected | pkg:rpm/amazonlinux/ipa-server-common?arch=noarch&distro=amazonlinux-2 | amazonlinux |
ipa-server-common
|
< 4.6.8-5.amzn2 | amazonlinux-2 | noarch | |
| Affected | pkg:rpm/amazonlinux/ipa-python-compat?arch=noarch&distro=amazonlinux-2 | amazonlinux |
ipa-python-compat
|
< 4.6.8-5.amzn2 | amazonlinux-2 | noarch | |
| Affected | pkg:rpm/amazonlinux/ipa-debuginfo?arch=x86_64&distro=amazonlinux-2 | amazonlinux |
ipa-debuginfo
|
< 4.6.8-5.amzn2 | amazonlinux-2 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/ipa-debuginfo?arch=i686&distro=amazonlinux-2 | amazonlinux |
ipa-debuginfo
|
< 4.6.8-5.amzn2 | amazonlinux-2 | i686 | |
| Affected | pkg:rpm/amazonlinux/ipa-debuginfo?arch=aarch64&distro=amazonlinux-2 | amazonlinux |
ipa-debuginfo
|
< 4.6.8-5.amzn2 | amazonlinux-2 | aarch64 | |
| Affected | pkg:rpm/amazonlinux/ipa-common?arch=noarch&distro=amazonlinux-2 | amazonlinux |
ipa-common
|
< 4.6.8-5.amzn2 | amazonlinux-2 | noarch | |
| Affected | pkg:rpm/amazonlinux/ipa-client?arch=x86_64&distro=amazonlinux-2 | amazonlinux |
ipa-client
|
< 4.6.8-5.amzn2 | amazonlinux-2 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/ipa-client?arch=i686&distro=amazonlinux-2 | amazonlinux |
ipa-client
|
< 4.6.8-5.amzn2 | amazonlinux-2 | i686 | |
| Affected | pkg:rpm/amazonlinux/ipa-client?arch=aarch64&distro=amazonlinux-2 | amazonlinux |
ipa-client
|
< 4.6.8-5.amzn2 | amazonlinux-2 | aarch64 | |
| Affected | pkg:rpm/amazonlinux/ipa-client-common?arch=noarch&distro=amazonlinux-2 | amazonlinux |
ipa-client-common
|
< 4.6.8-5.amzn2 | amazonlinux-2 | noarch |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |