Cross-site Scripting (XSS) Affecting eap7-wildfly package, versions <0:7.4.19-1.GA_redhat_00002.1.el7eap


Severity

Recommended
high

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.11% (46th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RHEL7-EAP7WILDFLY-8219456
  • published15 Oct 2024
  • disclosed29 Aug 2022

Introduced: 29 Aug 2022

CVE-2022-36033  (opens in a new tab)
CWE-79  (opens in a new tab)
CWE-87  (opens in a new tab)

How to fix?

Upgrade RHEL:7 eap7-wildfly to version 0:7.4.19-1.GA_redhat_00002.1.el7eap or higher.
This issue was patched in RHSA-2024:8075.

NVD Description

Note: Versions mentioned in the description apply only to the upstream eap7-wildfly package and not the eap7-wildfly package as distributed by RHEL. See How to fix? for RHEL:7 relevant fixed versions and status.

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

CVSS Scores

version 3.1