[jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
Locked
[jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
 
|
[ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16859849#comment-16859849 ] Aditya Sharma commented on OFBIZ-10678: --------------------------------------- Hi [~jacques.le.roux] , I did some findings around them. These are the inferences: 1. For solving [CVE-2015-9251|https://nvd.nist.gov/vuln/detail/CVE-2015-9251] we will need jQuery 3+ and for [CVE-2019-11358|https://nvd.nist.gov/vuln/detail/CVE-2019-11358] jQuery 3.4+. Should we upgrade to 3.4.0? {code:java} C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-1.11.0.min.js ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery. com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML () executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, sum mary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-r eleased/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b {code} {code:java} C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-1.11.0.js ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/ 2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() e xecutes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary : jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-relea sed/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b {code} {code:java} C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/ {code} {code:java} C:\projectsASF\release16.11\specialpurpose\solr\webapp\solr\js\require.js ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jq uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist. gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b {code} 2. For solving vulnerability with jQuery mobile there is no release yet I guess. Vulnerability is reported in 2017 and I don't see a stable release since 2014. See [releases|https://github.com/jquery/jquery-mobile/releases]. It seems jQuery mobile is a dead end now. Though we can upgrade to 1.4.5 the last latest one. what do you suggest? {code:java} C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.js ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summary: open redirect leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium; summary: open redirect leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html {code} > CLONE - Check embedded Javascript libs vulnerabilities using retire.js > ---------------------------------------------------------------------- > > Key: OFBIZ-10678 > URL: https://issues.apache.org/jira/browse/OFBIZ-10678 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS > Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12, Release Branch 18.12 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Blocker > Labels: Javascript, retire.js, vulnerabilities > > 3 years ago I created the page https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js > After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and here are the results: > h3. Trunk > {code} > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js > ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, s > ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.co > m/twbs/bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js > ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: > XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/ > bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu > relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https:// > nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js > ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and- > 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery. > com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js > ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.in > securelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http > s://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > {code} > h3. R17 > {code} > C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js > ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 seve > rity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container p > roperty of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184 > C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js > ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: m > edium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property > of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184 > C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201 > 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jq > uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re > surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severi > ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8 > f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.min.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re > surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severi > ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8 > f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js > ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.c > om/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML( > ) executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js > ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE > -2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blo > g.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > {code} > h3. R16 > {code} > ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/ > 2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() e > xecutes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-1.11.0.min.js > ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery. > com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML > () executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js > ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\release16.11\specialpurpose\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201 > 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jq > uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js > ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium; summary: open redirect leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html > C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.js > ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summary: open redirect leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html > {code} > So it's time to update again the Javascript embedded libs. I'll check what I have been done with OFBIZ-9269 before... -- This message was sent by Atlassian JIRA (v7.6.3#76005) |
«
Return to OFBiz - Notifications
|
1 view|%1 views
| Free forum by Nabble | Edit this page |