[Bugs] [Bug 13536] New: [CVE 21] highlight 3.28 CVEs found
bugzilla
bugzilla на rosalinux.ru
Ср Авг 23 23:20:26 MSK 2023
https://bugzilla.rosalinux.ru/show_bug.cgi?id=13536
Platform: 2021.1
Bug ID: 13536
Summary: [CVE 21] highlight 3.28 CVEs found
Classification: ROSA-based products
Product: ROSA Fresh
Version: All
Hardware: All
URL: CVE-2023-33187,
OS: Linux
Status: CONFIRMED
Severity: normal
Priority: Normal
Component: System (kernel, glibc, systemd, bash, PAM...)
Assignee: bugs на lists.rosalinux.ru
Reporter: y.tumanov на rosalinux.ru
QA Contact: bugs на lists.rosalinux.ru
CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
y.tumanov на rosalinux.ru
Target Milestone: ---
Flags: secteam_verified?
Please patch CVEs for package highlight version 3.28
INFO (CVEs are): highlight 3.28
cves found
CVE-2023-33187
Desc: Highlight is an open source, full-stack monitoring platform. Highlight
may record passwords on customer deployments when a password html input is
switched to `type="text"` via a javascript "Show Password" button. This differs
from the expected behavior which always obfuscates `type="password"` inputs. A
customer may assume that switching to `type="text"` would also not record this
input; hence, they would not add additional `highlight-mask` css-class
obfuscation to this part of the DOM, resulting in unintentional recording of a
password value when a `Show Password` button is used. This issue was patched in
version 6.0.0.
This patch tracks changes to the `type` attribute of an input to ensure an
input that used to be a `type="password"` continues to be obfuscated.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-33187
Severity: MEDIUM
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/e4d10328/attachment.html>
Подробная информация о списке рассылки Bugs