{"containers": {"cna": {"affected": [{"product": "JSDom", "vendor": "n/a", "versions": [{"status": "affected", "version": "JSDom 16.4.0"}]}], "descriptions": [{"lang": "en", "value": "JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-29T08:45:45.000Z", "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.tenable.com/security/research/tra-2021-05"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jsdom/jsdom/issues/3124#issuecomment-783502951"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnreport@tenable.com", "ID": "CVE-2021-20066", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "JSDom", "version": {"version_data": [{"version_value": "JSDom 16.4.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://www.tenable.com/security/research/tra-2021-05", "refsource": "MISC", "url": "https://www.tenable.com/security/research/tra-2021-05"}, {"name": "https://github.com/jsdom/jsdom/issues/3124#issuecomment-783502951", "refsource": "MISC", "url": "https://github.com/jsdom/jsdom/issues/3124#issuecomment-783502951"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:30:07.411Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.tenable.com/security/research/tra-2021-05"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jsdom/jsdom/issues/3124#issuecomment-783502951"}]}]}, "cveMetadata": {"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "assignerShortName": "tenable", "cveId": "CVE-2021-20066", "datePublished": "2021-02-16T19:48:08.000Z", "dateReserved": "2020-12-17T00:00:00.000Z", "dateUpdated": "2024-08-03T17:30:07.411Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jsdom_project:jsdom:-:*:*:*:*:*:*:*", "matchCriteriaId": "C10B28FE-6B6A-461E-98FF-B4B1894F7302", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled."}, {"lang": "es", "value": "JSDom permite inapropiadamente la carga de recursos locales, lo que permite que los archivos locales sean manipulados por una p\u00e1gina web maliciosa cuando la ejecuci\u00f3n de script est\u00e1 habilitada"}], "id": "CVE-2021-20066", "lastModified": "2024-11-21T05:45:51.730", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-16T20:15:15.767", "references": [{"source": "vulnreport@tenable.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jsdom/jsdom/issues/3124#issuecomment-783502951"}, {"source": "vulnreport@tenable.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.tenable.com/security/research/tra-2021-05"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jsdom/jsdom/issues/3124#issuecomment-783502951"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.tenable.com/security/research/tra-2021-05"}], "sourceIdentifier": "vulnreport@tenable.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "jsdom: improper loading of local resources", "id": "1930915", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930915"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-862", "details": ["JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.", "A flaw was found in jsdom. JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled."], "name": "CVE-2021-20066", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "kiali", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "search-api", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-02-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-20066\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20066\nhttps://www.tenable.com/security/research/tra-2021-05"], "statement": "For an application which includes jsdom to be vulnerable to this CVE, it must at least enable the loading of resources using something similar to: `new JSDOM(html, {resources: \"usable\"}`, where `html` is un-trusted input. Furthermore, scripts can be executed by extending the options similar to: `new JSDOM(html, {resources: \"usable\", runScripts: \"dangerously\"}`. [1]\nOpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) both include components that package a vulnerable version of `jsdom`. However, none of the components directly enable the loading of resources via `resources: \"usable\"` and most components only include `jsdom` for use in tests. Hence for OCP and OSSM the affects are rated to have a Low impact and are wontfix at this time and might be fixed in a future release.\n[1] https://github.com/jsdom/jsdom#loading-subresources", "threat_severity": "Moderate"}

{}