CVE-2017-1002152
Description
Bodhi versions 2.9.0 and earlier are vulnerable to stored cross-site scripting (XSS) through improper sanitization of bug titles, enabling code injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bodhi versions 2.9.0 and earlier are vulnerable to stored cross-site scripting (XSS) through improper sanitization of bug titles, enabling code injection.
Vulnerability
Bodhi, a web-based update gating system for Fedora, is vulnerable to stored cross-site scripting (XSS) in version 2.9.0 and earlier. The flaw arises from incorrect validation of bug titles when they are displayed in the detail view. This allows an attacker to inject arbitrary JavaScript code. The affected product is Bodhi, and the vulnerable versions are 2.9.0 and all prior releases [1][2].
Exploitation
An attacker does not need authentication to the Bodhi instance itself, but must be able to submit a bug report with a crafted title to a bug tracker that Bodhi displays. The injected script is then stored and later rendered in the browser of any user who views the detail page of the affected update. The attack can be executed remotely without user interaction beyond the victim viewing the crafted page [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or redirection to malicious sites. The confidentiality, integrity, and availability of the web application can be compromised, depending on the injected script. The attacker gains the same level of access as the victim user [1][2].
Mitigation
A fix was developed and released in the Bodhi project; users should upgrade to a version newer than 2.9.0. The issue was resolved via commit referenced in the Bodhi project's issue tracker and NVD advisory. No workarounds are documented, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2][3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bodhiPyPI | < 2.9.1 | 2.9.1 |
Affected products
2- Fedora Project Infrastructure/Bodhiv5Range: unspecified
Patches
12a3b06b42242CVE-2017-1002152: Sanitize Bugzilla titles in rendered HTML.
5 files changed · +49 −4
bodhi/server/util.py+3 −2 modified@@ -563,8 +563,9 @@ def bug_link(context, bug, short=False): link = "<a target='_blank' href='%s'>%s</a>" % (url, display) if not short: if bug.title: - # We're good... - link = link + " " + bug.title + # We're good, but we do need to clean the bug title in case it contains malicious + # tags. See CVE-2017-1002152: https://github.com/fedora-infra/bodhi/issues/1740 + link = link + " " + bleach.clean(bug.title, tags=[], attributes=[]) else: # Otherwise, the backend is async grabbing the title from rhbz, so link = link + " <img class='spinner' src='static/img/spinner.gif'>"
bodhi/tests/server/test_utils.py+32 −0 modified@@ -42,6 +42,38 @@ def test_short_false_with_title(self): ("<a target='_blank' href='https://bugzilla.redhat.com/show_bug.cgi?id=1234567'>" "#1234567</a> Lucky bug number")) + def test_short_false_with_title_sanitizes_safe_tags(self): + """ + Test that a call to bug_link() with short=False on a Bug that has a title sanitizes even + safe tags because really they should be rendered human readable. + """ + bug = mock.MagicMock() + bug.bug_id = 1234567 + bug.title = 'Check <b>this</b> out' + + link = util.bug_link(None, bug) + + self.assertEqual( + link, + ("<a target='_blank' href='https://bugzilla.redhat.com/show_bug.cgi?id=1234567'>" + "#1234567</a> Check <b>this</b> out")) + + def test_short_false_with_title_sanitizes_unsafe_tags(self): + """ + Test that a call to bug_link() with short=False on a Bug that has a title sanitizes unsafe + tags. + """ + bug = mock.MagicMock() + bug.bug_id = 1473091 + bug.title = '<disk> <driver name="..."> should be optional' + + link = util.bug_link(None, bug) + + self.assertEqual( + link, + ("<a target='_blank' href='https://bugzilla.redhat.com/show_bug.cgi?id=1473091'>" + "#1473091</a> <disk> <driver name=\"...\"> should be optional")) + def test_short_false_without_title(self): """Test a call to bug_link() with short=False on a Bug that has no title.""" bug = mock.MagicMock()
docs/conf.py+1 −1 modified@@ -53,7 +53,7 @@ # The short X.Y version. version = '2.9' # The full version, including alpha/beta/rc tags. -release = '2.9.0' +release = '2.9.1' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.
docs/release_notes.rst+12 −0 modified@@ -1,6 +1,18 @@ Release notes ============= +2.9.1 +----- + +2.9.1 is a security release for +`CVE-2017-1002152 <https://github.com/fedora-infra/bodhi/issues/1740>`_. + +Release contributors +^^^^^^^^^^^^^^^^^^^^ + +Thanks to Marcel for reporting the issue. Randy Barlow wrote the fix. + + 2.9.0 -----
setup.py+1 −1 modified@@ -46,7 +46,7 @@ def get_requirements(requirements_file='requirements.txt'): here = os.path.abspath(os.path.dirname(__file__)) README = open(os.path.join(here, 'README.rst')).read() -VERSION = '2.9.0' +VERSION = '2.9.1' # Possible options are at https://pypi.python.org/pypi?%3Aaction=list_classifiers CLASSIFIERS = [ 'Development Status :: 5 - Production/Stable',
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-h896-6hcp-gj6cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1002152ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/fedora-infra/bodhi/commit/2a3b06b42242ecabb7fed6b147b033b36292d76fghsaWEB
- github.com/fedora-infra/bodhi/issues/1740ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/bodhi/PYSEC-2019-150.yamlghsaWEB
News mentions
0No linked articles in our index yet.