CVE-2023-44270

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name	Vendor	Start Version	End Version
Postcss	Postcss	*	8.4.31 (excluding)
Discovery 1 for RHEL 9	RedHat	discovery/discovery-server-rhel9:1.12.0-1	*
Discovery 1 for RHEL 9	RedHat	discovery/discovery-ui-rhel9:1.12.0-1	*
Red Hat OpenShift Container Platform 4.17	RedHat	openshift4/nmstate-console-plugin-rhel9:v4.17.0-202411261204.p0.gbc40e56.assembly.stream.el9	*
Red Hat OpenShift Container Platform 4.17	RedHat	openshift4/ose-networking-console-plugin-rhel9:v4.17.0-202501150934.p0.g0244dff.assembly.stream.el9	*
Red Hat OpenShift Dev Spaces 3 Containers	RedHat	devspaces/code-rhel9:3.18-6	*
Red Hat OpenShift Dev Spaces 3 Containers	RedHat	devspaces/dashboard-rhel9:3.18-10	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/argocd-rhel8:v1.14.3-4	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/argocd-rhel9:v1.14.3-1	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/argo-rollouts-rhel8:v1.14.3-4	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/console-plugin-rhel8:v1.14.3-4	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/dex-rhel8:v1.14.3-4	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/gitops-operator-bundle:v1.14.3-4	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/gitops-rhel8:v1.14.3-4	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/gitops-rhel8-operator:v1.14.3-4	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/kam-delivery-rhel8:v1.14.3-4	*
Red Hat OpenShift GitOps 1.14	RedHat	openshift-gitops-1/must-gather-rhel8:v1.14.3-4	*
Red Hat OpenShift Service Mesh 2.5 for RHEL 8	RedHat	openshift-service-mesh/kiali-rhel8:1.73.17-1	*
RHODF-4.14-RHEL-9	RedHat	odf4/ocs-client-console-rhel9:v4.14.16-2	*
RHODF-4.14-RHEL-9	RedHat	odf4/odf-console-rhel9:v4.14.16-1	*
RHODF-4.14-RHEL-9	RedHat	odf4/odf-multicluster-console-rhel9:v4.14.16-2	*
RHODF-4.15-RHEL-9	RedHat	odf4/ocs-client-console-rhel9:v4.15.12-1	*
RHODF-4.15-RHEL-9	RedHat	odf4/odf-console-rhel9:v4.15.12-1	*
RHODF-4.15-RHEL-9	RedHat	odf4/odf-multicluster-console-rhel9:v4.15.12-1	*
RHODF-4.16-RHEL-9	RedHat	odf4/ocs-client-console-rhel9:v4.16.8-1	*
RHODF-4.16-RHEL-9	RedHat	odf4/odf-console-rhel9:v4.16.8-1	*
RHODF-4.16-RHEL-9	RedHat	odf4/odf-multicluster-console-rhel9:v4.16.8-1	*
RHODF-4.17-RHEL-9	RedHat	odf4/ocs-client-console-rhel9:v4.17.5-1	*
RHODF-4.17-RHEL-9	RedHat	odf4/odf-console-rhel9:v4.17.5-1	*
RHODF-4.17-RHEL-9	RedHat	odf4/odf-multicluster-console-rhel9:v4.17.5-2	*
RHODF-4.18-RHEL-9	RedHat	odf4/ocs-client-console-rhel9:v4.18.0-65	*
RHODF-4.18-RHEL-9	RedHat	odf4/odf-console-rhel9:v4.18.0-65	*
RHODF-4.18-RHEL-9	RedHat	odf4/odf-multicluster-console-rhel9:v4.18.0-64	*
Node-postcss	Ubuntu	bionic	*
Node-postcss	Ubuntu	focal	*
Node-postcss	Ubuntu	lunar	*
Node-postcss	Ubuntu	mantic	*
Node-postcss	Ubuntu	oracular	*
Node-postcss	Ubuntu	plucky	*
Node-postcss	Ubuntu	trusty	*
Node-postcss	Ubuntu	xenial	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-44270
CWE	https://cwe.mitre.org/data/definitions/74.html

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Weakness

Affected Software

Potential Mitigations

References

CVE-2023-44270

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References