阿里云漏洞库

漏洞描述

Bootstrap是一款使用HTML、CSS和JavaScript开发的开源Web前端框架。

Bootstrap 4.3.1之前版本中的tooltip或popover插件存在跨站脚本漏洞。远程攻击者可利用该漏洞注入任意的Web脚本或HTML。

解决建议

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：

https://github.com/twbs/bootstrap/releases/tag/v4.3.1

参考链接
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
http://seclists.org/fulldisclosure/2019/May/10
http://seclists.org/fulldisclosure/2019/May/11
http://seclists.org/fulldisclosure/2019/May/13
http://www.securityfocus.com/bid/107375
https://access.redhat.com/errata/RHSA-2019:1456
https://access.redhat.com/errata/RHSA-2019:3023
https://access.redhat.com/errata/RHSA-2019:3024
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
https://github.com/twbs/bootstrap/pull/28236
https://github.com/twbs/bootstrap/releases/tag/v3.4.1
https://github.com/twbs/bootstrap/releases/tag/v4.3.1
https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359...
https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5...
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d...
https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c255...
https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160...
https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b8...
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a...
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34...
https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc...
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2...
https://seclists.org/bugtraq/2019/May/18
https://support.f5.com/csp/article/K24383845
https://support.f5.com/csp/article/K24383845?utm_source=f5support&amp%3Butm_m...
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.tenable.com/security/tns-2021-14

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 15.0.0	Up to (excluding) 15.1.0
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 15.0.0	Up to (excluding) 15.1.0
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 15.0.0	Up to (excluding) 15.1.0
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 15.0.0	Up to (excluding) 15.1.0
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 15.0.0	Up to (excluding) 15.1.0
	运行在以下环境
	应用	f5	big-ip_domain_name_system	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
	运行在以下环境
	应用	f5	big-ip_domain_name_system	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_domain_name_system	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
	运行在以下环境
	应用	f5	big-ip_domain_name_system	*	From (including) 15.0.0	Up to (excluding) 15.1.0
	运行在以下环境
	应用	f5	big-ip_edge_gateway	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
	运行在以下环境
	应用	f5	big-ip_edge_gateway	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_edge_gateway	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
	运行在以下环境
	应用	f5	big-ip_edge_gateway	*	From (including) 15.0.0	Up to (excluding) 15.1.0
	运行在以下环境
	应用	f5	big-ip_fraud_protection_service	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
	运行在以下环境
	应用	f5	big-ip_fraud_protection_service	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_fraud_protection_service	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
	运行在以下环境
应用	f5	big-ip_fraud_protection_service	*	From (including) 15.0.0	Up to (excluding) 15.1.0
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 15.0.0	Up to (excluding) 15.1.0
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 15.0.0	Up to (excluding) 15.1.0
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 15.0.0	Up to (excluding) 15.1.0
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 15.0.0	Up to (excluding) 15.1.0
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 13.0.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 14.0.0	Up to (excluding) 14.1.2.5
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 15.0.0	Up to (excluding) 15.1.0
运行在以下环境
应用	getbootstrap	bootstrap	*		Up to (excluding) 3.4.1
运行在以下环境
应用	getbootstrap	bootstrap	*	From (including) 4.3.0	Up to (excluding) 4.3.1
运行在以下环境
应用	redhat	virtualization_manager	4.3	-
运行在以下环境
系统	alibaba_cloud_linux_2.1903	ipa	*		Up to (excluding) 4.6.8-5.1.al7
运行在以下环境
系统	amazon linux_2	ipa	*		Up to (excluding) 4.6.8-5.amzn2
运行在以下环境
系统	amazon_2	ipa	*		Up to (excluding) 4.6.8-5.amzn2
运行在以下环境
系统	centos_7	ipa-server	*		Up to (excluding) 4.6.8-5.el7
运行在以下环境
系统	debian_10	twitter-bootstrap3	*		Up to (excluding) 3.4.1+dfsg-1
运行在以下环境
系统	debian_11	twitter-bootstrap3	*		Up to (excluding) 3.4.1+dfsg-1
运行在以下环境
系统	debian_12	twitter-bootstrap3	*		Up to (excluding) 3.4.1+dfsg-1
运行在以下环境
系统	debian_9	ipa	*		Up to (excluding) 3.3.7+dfsg-2+deb9u2
运行在以下环境
系统	oracle linux_7	ipa	*		Up to (excluding) 4.6.8-5.0.1.el7
运行在以下环境
系统	oracle_7	ipa-client	*		Up to (excluding) 4.6.8-5.0.1.el7
运行在以下环境
系统	redhat_7	ipa-server	*		Up to (excluding) 4.6.8-5.el7

攻击路径

远程
攻击复杂度

复杂
权限要求

N/A
影响范围

有限影响
EXP成熟度

POC 已公开
补丁情况

官方补丁
数据保密性

数据泄露
数据完整性

无影响
服务器危害

无影响
全网数量

100

CWE-ID	漏洞类型
CWE-79	在Web页面生成时对输入的转义处理不恰当（跨站脚本）

中危 Bootstrap 跨站脚本漏洞（CVE-2019-8331）

漏洞描述

解决建议

参考链接

受影响软件情况