{
  "threat_severity" : "Moderate",
  "public_date" : "2021-02-16T00:00:00Z",
  "bugzilla" : {
    "description" : "jsdom: improper loading of local resources",
    "id" : "1930915",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1930915"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-862",
  "details" : [ "JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.", "A flaw was found in jsdom. JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled." ],
  "statement" : "For an application which includes jsdom to be vulnerable to this CVE, it must at least enable the loading of resources using something similar to: `new JSDOM(html, {resources: \"usable\"}`, where `html` is un-trusted input. Furthermore, scripts can be executed by extending the options similar to: `new JSDOM(html, {resources: \"usable\", runScripts: \"dangerously\"}`. [1]\nOpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) both include components that package a vulnerable version of `jsdom`. However, none of the components directly enable the loading of resources via `resources: \"usable\"` and most components only include `jsdom` for use in tests. Hence for OCP and OSSM the affects are rated to have a Low impact and are wontfix at this time and might be fixed in a future release.\n[1] https://github.com/jsdom/jsdom#loading-subresources",
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Not affected",
    "package_name" : "kiali",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Will not fix",
    "package_name" : "servicemesh-grafana",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Will not fix",
    "package_name" : "servicemesh-prometheus",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "search-api",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-grafana",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-prometheus",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-thanos-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-20066\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20066\nhttps://www.tenable.com/security/research/tra-2021-05" ],
  "name" : "CVE-2021-20066",
  "csaw" : false
}