NVD Vulnerability Detail

CVE-2020-26297

Summary	mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it.
Publication Date	Jan. 5, 2021, 4:15 a.m.
Registration Date	Jan. 26, 2021, 11:56 a.m.
Last Update	Nov. 21, 2024, 2:19 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:rust-lang:mdbook::::::rust::*		0.1.4			0.4.5

Related information, measures and tools

No	URL	タグ
1	https://crates.io/crates/mdbook	Product Third Party Advisory
2	https://crates.io/crates/mdbook	Product Third Party Advisory
3	https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-045	Release Notes Third Party Advisory
4	https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-045	Release Notes Third Party Advisory
5	https://github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2e9b	Patch Third Party Advisory
6	https://github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2e9b	Patch Third Party Advisory
7	https://github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436	Mitigation Third Party Advisory
8	https://github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436	Mitigation Third Party Advisory
9	https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0	Mailing List Third Party Advisory
10	https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0	Mailing List Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

mdBook におけるクロスサイトスクリプティングの脆弱性

Title	mdBook におけるクロスサイトスクリプティングの脆弱性
Summary	mdBook には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 1, 2020, midnight
Registration Date	Sept. 16, 2021, 4:56 p.m.
Last Update	Sept. 16, 2021, 4:56 p.m.

Affected System

The Rust Programming Language

mdBook 0.4.5 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-26297	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26297
National Vulnerability Database (NVD)
2	CVE-2020-26297	https://nvd.nist.gov/vuln/detail/CVE-2020-26297

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
crates.io
1	mdbook	https://crates.io/crates/mdbook
GitHub
2	fix xss in the search page	https://github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2e9b
3	mdBook 0.4.5	https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-045

Change Log

No	Changed Details	Date of change
1	[2021年09月16日] 掲載	Sept. 16, 2021, 4:56 p.m.