(RHSA-2020:4847) Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update

ID RHSA-2020:4847
Type redhat
Reporter RedHat
Modified 2022-05-09T13:19:28


The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.

Security Fix(es):

  • jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)

  • bootstrap: XSS in the data-target attribute (CVE-2016-10735)

  • bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)

  • bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)

  • bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)

  • jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)

  • jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)

  • jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)

  • pki: Dogtag's python client does not validate certificates (CVE-2020-15720)

  • pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page (CVE-2019-10146)

  • pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab (CVE-2019-10179)

  • pki-core: Reflected XSS in getcookies?url= endpoint in CA (CVE-2019-10221)

  • pki-core: KRA vulnerable to reflected XSS via the getPk12 page (CVE-2020-1721)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.