{"containers": {"cna": {"affected": [{"product": "noobaa-core", "vendor": "n/a", "versions": [{"status": "affected", "version": "noobaa 5.7.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-02T16:10:51", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950479"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-3529", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "noobaa-core", "version": {"version_data": [{"version_value": "noobaa 5.7.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1950479", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950479"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:07.751Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950479"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3529", "datePublished": "2021-06-02T16:10:51", "dateReserved": "2021-04-30T00:00:00", "dateUpdated": "2024-08-03T17:01:07.751Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:noobaa-operator:*:*:*:*:*:*:*:*", "matchCriteriaId": "6184F51F-4187-4A72-9FF7-61B03CC5EF19", "versionEndExcluding": "5.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity."}, {"lang": "es", "value": "Se ha encontrado un fallo en noobaa-core en versiones anteriores a 5.7.0. Este fallo resulta en el nombre de una URL arbitraria que se copia en un documento HTML como texto plano entre etiquetas, incluyendo potencialmente un script de carga \u00fatil. La entrada se repite sin modificar en la respuesta de la aplicaci\u00f3n, resultando que se inyecte JavaScript arbitrario en la respuesta de una aplicaci\u00f3n. La mayor amenaza para el sistema es para la confidencialidad, la disponibilidad y la integridad"}], "id": "CVE-2021-3529", "lastModified": "2021-06-15T16:48:52.097", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-02T17:15:08.660", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950479"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/cephcsi-rhel8:4.8-125.01872cc.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/mcg-core-rhel8:5.8.0-38.e060925.5.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/mcg-rhel8-operator:5.8.0-27.4a6ca5f.5.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/ocs-must-gather-rhel8:4.8-196.a35d7d7.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/ocs-operator-bundle:4.8.0-5", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/ocs-rhel8-operator:4.8-196.a35d7d7.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/rook-ceph-rhel8-operator:4.8-167.9a9db5f.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/volume-replication-rhel8-operator:4.8-20.ab575a2.release_v0.1", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}], "bugzilla": {"description": "noobaa-core: Cross-site scripting vulnerability with noobaa management URL", "id": "1950479", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950479"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-79", "details": ["A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity.", "A flaw was found in noobaa-core. This flaw results in the name of an arbitrary URL copied into an HTML document as plain text between tags, including a potential payload script. The input is echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is to confidentiality, integrity, as well as system availability."], "name": "CVE-2021-3529", "public_date": "2021-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3529\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3529"], "threat_severity": "Moderate", "upstream_fix": "noobaa 5.7.0"}