[GHSA-3wqf-4x89-9g79] Bootstrap vulnerable to Cross-Site Scripting (XSS)

[jenhae]

Updates

• Affected products
• Description
• References

Comments
I used the demonstration example from twbs/bootstrap#26625 (comment) and proofed, that also version 2.3.0 and above are affected, but 3.4.0 is not, see https://jsbin.com/xixaqeyofi/edit?html,output

[shelbyc]

Hi @jenhae, I disagree that version 2.3.0 is vulnerable. The line of code in collapse.js that was involved with CVE-2018-14040, parent = $(this._config.parent)[0], (as corrected in https://github.com/twbs/bootstrap/pull/26630/files), wasn't added to collapse.js until version 4.0.0-beta.2 in this commit. I checked version 2.3.0's version of bootstrap-affix.js, the precursor to collapse.js, and was unable to find the affected line of code in that file either.

[jenhae]

Hi @shelbyc, I couldn't find the affected line either, I'm not sure how bootstrap-affix correlates with bootstrap-collapse. I was talking about the https://github.com/twbs/bootstrap/blob/v2.3.0/js/bootstrap-collapse.js, maybe another vulnerability.

However, I could track down the issue to line 34 of bootstrap-collapse using my example, see https://github.com/twbs/bootstrap/blob/v2.3.0/js/bootstrap-collapse.js#L34.

[shelbyc]

@jenhae I read at the bottom of https://github.com/twbs/bootstrap/commits/v3.0.0/js/collapse.js that the file was renamed to collapse.js from js/tests/unit/bootstrap-affix.js, but this may not be accurate because the pages for https://github.com/twbs/bootstrap/commits/v3.0.0/js/alert.js and https://github.com/twbs/bootstrap/commits/v3.0.0/js/carousel.js, among others, also claim that those files are renamed from js/tests/unit/bootstrap-affix.js.

With respect to https://github.com/twbs/bootstrap/blob/v2.3.0/js/bootstrap-collapse.js#L34, I think you should bring your concerns to the maintainers and ask them if they believe this might be another vulnerability. Their SECURITY.md file with information about how to report security concerns is here.

According to this commit, this.$parent = $(this.options.parent) replaced this.$parent = $(this.options["parent"]) in version 2.0.3. I'm not sure if the change in this particular line would affect the code's vulnerability to cross-site scripting, and this comment claims the Debian LTS security team found that Bootstrap version 2.0.2 wasn't vulnerable to CVE-2018-14040.

Ultimately, I'm not a JavaScript expert, and the people in the best position to assess whether or not the software has bugs are the maintainers, who are the experts in how Bootstrap works. Thank you for the nice conversation, and I hope I was able to provide some information to help you move forward!

[1Jesper1]

I think you are right @jenhae! The affected versions should be edited in GHSA-3wqf-4x89-9g79

[1Jesper1]

@jenhae I think this one should also be edited. GHSA-7mvr-5x2g-wfc8

[jenhae]

@1Jesper1 you're right. Feel free to suggest an improvement https://github.com/advisories/GHSA-7mvr-5x2g-wfc8/improve

[1Jesper1]

@1Jesper1 you're right. Feel free to suggest an improvement https://github.com/advisories/GHSA-7mvr-5x2g-wfc8/improve

Will do soon!

[1Jesper1]

@jenhae Could you review? https://github.com/github/advisory-database/pull/3297/files I think the affected versions could also be tuned in your improvement.

[shelbyc]

@1Jesper1 I've read your input here and #3297 and have read the original bug reports. I have a question about this comment in the thread where you originally reported CVE-2018-14042. The comment is from the person who answered this message on the Debian mailing list. The respondent claims that Bootstrap 2.0.2, 3.2.0, and 3.3.7 aren't affected by CVE-2018-14042.

The respondent also claims that In my tests, only CVE-2018-14040 actually triggers a XSS, and only with 3.2.0. So I've marked 2.x N/A there as well.

What do you think of these findings?

[1Jesper1]

@shelbyc About twbs/bootstrap#26628 (comment)
See https://jsbin.com/wuxuzineli/edit?html,output You can change the Bootstrap JS version to check if the XSS is hit.
Bootstrap 2.3.0, 3.2.0 and 3.3.7 are vulnerable, that's why this should be changed: "Vulnerable from Bootstrap 2.3.0 to 3.4.0 and 4.x before 4.1.2"

[1Jesper1]

@shelbyc 3.4.0 is not vulnerable. So might be "Vulnerable from Bootstrap 2.3.0 to 3.3.7 and 4.x before 4.1.2"

[1Jesper1]

to 3.3.7?

[shelbyc]

I showed this contribution and #3297 to my teammates and one of them found something interesting! Changing the jQuery version also affects whether the XSS is hit.

For example, the response from the Debian mailing list I mentioned earlier has the following links:

Link	Bootstrap Version	jQuery Version	Vulnerable?
https://jsbin.com/bimipayoda/edit?html,output	4.4.1	3.3.1	Yes
https://jsbin.com/nakisuhuso/edit?html,output	3.3.7	3.3.2	No
https://jsbin.com/tafejagene/edit?html,output	3.2.0	3.3.2	No
https://jsbin.com/zapefecije/edit?html,output	2.0.2	3.3.1	No

When we switch all links to using jQuery 3.3.1, the outcome changes:

Bootstrap Version	jQuery Version	Vulnerable?
4.4.1	3.3.1	Yes
3.3.7	3.3.1	Yes
3.2.0	3.3.1	Yes
2.0.2	3.3.1	No

Trying this with versions 3.4.0, 3.3.7, 2.3.0, and 2.2.2:

Bootstrap Version	jQuery Version	Vulnerable?
3.4.0	3.3.1	No
3.3.7	3.3.1	Yes
2.3.0	3.3.1	Yes
2.2.2	3.3.1	No

Do either of you find that the version of jQuery used affects the outcome of the test?

[1Jesper1]

@shelbyc I think jQuery 3.3.2 does not exist..
There is no 3.3.2 version: https://releases.jquery.com/jquery/
Link gives error: https://ajax.googleapis.com/ajax/libs/jquery/3.3.2/jquery.min.js

[advisory-database]

Hi @jenhae! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[shelbyc]

@jenhae @1Jesper1 Thank you both for using your time and expertise to help me understand GHSA-3wqf-4x89-9g79 and GHSA-7mvr-5x2g-wfc8! I've updated both advisories and am contacting MITRE at https://cveform.mitre.org/ to request to have the CVE records for CVE-2018-14040 and CVE-2018-14042 updated as well.