Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-3wqf-4x89-9g79] Bootstrap vulnerable to Cross-Site Scripting (XSS) #3282

Merged

Conversation

jenhae
Copy link

@jenhae jenhae commented Jan 13, 2024

Updates

  • Affected products
  • Description
  • References

Comments
I used the demonstration example from twbs/bootstrap#26625 (comment) and proofed, that also version 2.3.0 and above are affected, but 3.4.0 is not, see https://jsbin.com/xixaqeyofi/edit?html,output

@github-actions github-actions bot changed the base branch from main to jenhae/advisory-improvement-3282 January 13, 2024 15:49
@shelbyc
Copy link
Contributor

shelbyc commented Jan 17, 2024

Hi @jenhae, I disagree that version 2.3.0 is vulnerable. The line of code in collapse.js that was involved with CVE-2018-14040, parent = $(this._config.parent)[0], (as corrected in https://github.com/twbs/bootstrap/pull/26630/files), wasn't added to collapse.js until version 4.0.0-beta.2 in this commit. I checked version 2.3.0's version of bootstrap-affix.js, the precursor to collapse.js, and was unable to find the affected line of code in that file either.

@jenhae
Copy link
Author

jenhae commented Jan 17, 2024

Hi @shelbyc, I couldn't find the affected line either, I'm not sure how bootstrap-affix correlates with bootstrap-collapse. I was talking about the https://github.com/twbs/bootstrap/blob/v2.3.0/js/bootstrap-collapse.js, maybe another vulnerability.

However, I could track down the issue to line 34 of bootstrap-collapse using my example, see https://github.com/twbs/bootstrap/blob/v2.3.0/js/bootstrap-collapse.js#L34.

@shelbyc
Copy link
Contributor

shelbyc commented Jan 17, 2024

@jenhae I read at the bottom of https://github.com/twbs/bootstrap/commits/v3.0.0/js/collapse.js that the file was renamed to collapse.js from js/tests/unit/bootstrap-affix.js, but this may not be accurate because the pages for https://github.com/twbs/bootstrap/commits/v3.0.0/js/alert.js and https://github.com/twbs/bootstrap/commits/v3.0.0/js/carousel.js, among others, also claim that those files are renamed from js/tests/unit/bootstrap-affix.js.
Screenshot 2024-01-17 at 4 18 19 PM

With respect to https://github.com/twbs/bootstrap/blob/v2.3.0/js/bootstrap-collapse.js#L34, I think you should bring your concerns to the maintainers and ask them if they believe this might be another vulnerability. Their SECURITY.md file with information about how to report security concerns is here.

According to this commit, this.$parent = $(this.options.parent) replaced this.$parent = $(this.options["parent"]) in version 2.0.3. I'm not sure if the change in this particular line would affect the code's vulnerability to cross-site scripting, and this comment claims the Debian LTS security team found that Bootstrap version 2.0.2 wasn't vulnerable to CVE-2018-14040.

Ultimately, I'm not a JavaScript expert, and the people in the best position to assess whether or not the software has bugs are the maintainers, who are the experts in how Bootstrap works. Thank you for the nice conversation, and I hope I was able to provide some information to help you move forward!

@1Jesper1
Copy link

I think you are right @jenhae! The affected versions should be edited in GHSA-3wqf-4x89-9g79

@1Jesper1
Copy link

1Jesper1 commented Jan 18, 2024

@jenhae I think this one should also be edited. GHSA-7mvr-5x2g-wfc8

@jenhae
Copy link
Author

jenhae commented Jan 18, 2024

@1Jesper1 you're right. Feel free to suggest an improvement https://github.com/advisories/GHSA-7mvr-5x2g-wfc8/improve

@1Jesper1
Copy link

1Jesper1 commented Jan 18, 2024

@1Jesper1 you're right. Feel free to suggest an improvement https://github.com/advisories/GHSA-7mvr-5x2g-wfc8/improve

Will do soon!

@1Jesper1
Copy link

@jenhae Could you review? https://github.com/github/advisory-database/pull/3297/files I think the affected versions could also be tuned in your improvement.

@shelbyc
Copy link
Contributor

shelbyc commented Jan 19, 2024

@1Jesper1 I've read your input here and #3297 and have read the original bug reports. I have a question about this comment in the thread where you originally reported CVE-2018-14042. The comment is from the person who answered this message on the Debian mailing list. The respondent claims that Bootstrap 2.0.2, 3.2.0, and 3.3.7 aren't affected by CVE-2018-14042.

The respondent also claims that In my tests, only CVE-2018-14040 actually triggers a XSS, and only with 3.2.0. So I've marked 2.x N/A there as well.

What do you think of these findings?

@1Jesper1
Copy link

@shelbyc About twbs/bootstrap#26628 (comment)
See https://jsbin.com/wuxuzineli/edit?html,output You can change the Bootstrap JS version to check if the XSS is hit.
Bootstrap 2.3.0, 3.2.0 and 3.3.7 are vulnerable, that's why this should be changed: "Vulnerable from Bootstrap 2.3.0 to 3.4.0 and 4.x before 4.1.2"

@1Jesper1
Copy link

@shelbyc 3.4.0 is not vulnerable. So might be "Vulnerable from Bootstrap 2.3.0 to 3.3.7 and 4.x before 4.1.2"

"published": "2022-05-13T01:07:54Z",
"aliases": [
"CVE-2018-14040"
],
"summary": "Bootstrap vulnerable to Cross-Site Scripting (XSS)",
"details": "In Bootstrap 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"details": "From Bootstrap 2.3.0 to 3.4.0 and 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.",

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to 3.3.7?

@shelbyc
Copy link
Contributor

shelbyc commented Jan 22, 2024

I showed this contribution and #3297 to my teammates and one of them found something interesting! Changing the jQuery version also affects whether the XSS is hit.

For example, the response from the Debian mailing list I mentioned earlier has the following links:

Link Bootstrap Version jQuery Version Vulnerable?
https://jsbin.com/bimipayoda/edit?html,output 4.4.1 3.3.1 Yes
https://jsbin.com/nakisuhuso/edit?html,output 3.3.7 3.3.2 No
https://jsbin.com/tafejagene/edit?html,output 3.2.0 3.3.2 No
https://jsbin.com/zapefecije/edit?html,output 2.0.2 3.3.1 No

When we switch all links to using jQuery 3.3.1, the outcome changes:

Bootstrap Version jQuery Version Vulnerable?
4.4.1 3.3.1 Yes
3.3.7 3.3.1 Yes
3.2.0 3.3.1 Yes
2.0.2 3.3.1 No

Trying this with versions 3.4.0, 3.3.7, 2.3.0, and 2.2.2:

Bootstrap Version jQuery Version Vulnerable?
3.4.0 3.3.1 No
3.3.7 3.3.1 Yes
2.3.0 3.3.1 Yes
2.2.2 3.3.1 No

Do either of you find that the version of jQuery used affects the outcome of the test?

@1Jesper1
Copy link

1Jesper1 commented Jan 22, 2024

@shelbyc I think jQuery 3.3.2 does not exist..
There is no 3.3.2 version: https://releases.jquery.com/jquery/
Link gives error: https://ajax.googleapis.com/ajax/libs/jquery/3.3.2/jquery.min.js

@advisory-database advisory-database bot merged commit fa409b0 into jenhae/advisory-improvement-3282 Jan 23, 2024
2 checks passed
@advisory-database advisory-database bot deleted the jenhae-GHSA-3wqf-4x89-9g79 branch January 23, 2024 16:05
@advisory-database
Copy link
Contributor

Hi @jenhae! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@shelbyc
Copy link
Contributor

shelbyc commented Jan 23, 2024

@jenhae @1Jesper1 Thank you both for using your time and expertise to help me understand GHSA-3wqf-4x89-9g79 and GHSA-7mvr-5x2g-wfc8! I've updated both advisories and am contacting MITRE at https://cveform.mitre.org/ to request to have the CVE records for CVE-2018-14040 and CVE-2018-14042 updated as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants