Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Prevent Angular evaluation of strings enclosed by two curly braces in non-Angular form-fields and output

Description

While working on issue NMS-15306 I realized, that maybe we have a vulnerability in OpenNMS that may affect each and every form. On a request JSP write the content, but afterwards text enclosed by two curly braces are evaluated by Angular. Strings like {{constructor.constructor('alert(document.domain)')()}} will allow XSS-attacks. One way to avoid the evaluation by Angular is to set ng-non-bindable for outputting non-Angular values, but it would be nice to have a global fix for the whole OpenNMS-Web-UI. I found some logic regarding Angular apps in bootstrap.jsp, but my knowledge about Angular is pretty limited. I hope someone can give input on this and find a way to solve this in a general way for the whole OpenNMS Web-UI.

Acceptance / Success Criteria

None

Activity

Show:

Jeff Gehlbach August 18, 2023 at 7:34 PM

Back-porting completed via NMS-16052; see that issue for one additional PR. Adding September Meridian 2020, 2021, and 2022 releases to this issue to assure release note coverage.

Also, chatted with about this one today. Qun will hold off on submitting the CVE entry until after the September releases rather than make two CVEs.

fooker July 19, 2023 at 8:55 AM

PR:

chiuen (Qun) June 22, 2023 at 8:06 PM

Infosec evaluated at the following risk:

CVSS: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:W/RC:R/CR:H/IR:H/AR:H/MAV:A/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

CVSS Score: 6.7 x medium likelihood 0.8 = 5.4 medium

Done

Details

Assignee

Reporter

Labels

Sprint

Fix versions

Affects versions

Priority

PagerDuty

Created March 14, 2023 at 9:07 AM
Updated August 18, 2023 at 7:34 PM
Resolved August 18, 2023 at 7:34 PM