{
  "threat_severity" : "Moderate",
  "public_date" : "2021-04-14T00:00:00Z",
  "bugzilla" : {
    "description" : "consul: specially crafted KV entry could be used to perform a XSS attack",
    "id" : "1950275",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1950275"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-79",
  "details" : [ "HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.", "In consul  a specially crafted KV (key/value store) entry could be used by attacker to perform a XSS (Cross Site Scripting) attack when viewed in the raw mode." ],
  "statement" : "OpenShift Container Platform (OCP) and OpenShift Service Mesh (OSSM) components ship only consul api which could be used for connection to consul service mesh solution, therefore are not affected by this flaw.\nSome OpenShift Virtualization components reference consul in go.sum files, however none of the projects or container images depend on or ship consul, therefore are not affected by this flaw.",
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Not affected",
    "package_name" : "servicemesh",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Not affected",
    "package_name" : "servicemesh-prometheus",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/metrics-collector-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/multicluster-observability-rhel8-operator",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "consul-client",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/cnf-tests-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/compliance-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/file-integrity-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-baremetal-machine-controllers",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-cluster-etcd-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-cluster-node-tuning-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-operator-registry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-prometheus",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4-wincw/windows-machine-config-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "redhat/redhat-operator-index",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "container-native-virtualization/hostpath-provisioner-rhel8-operator",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "container-native-virtualization/hyperconverged-cluster-operator",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "container-native-virtualization/hyperconverged-cluster-webhook-rhel8",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-25864\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-25864\nhttps://github.com/hashicorp/consul/pull/10023" ],
  "name" : "CVE-2020-25864",
  "csaw" : false
}