vulnerability JQuery library
327 views
Skip to first unread message
Philippe Delalande
Mar 6, 2023, 8:47:48 AM3/6/23
to bacularis
Hello Marcin, we are currently using 2 Bacula servers with Bacularis in production, and we regularly perform vulnerability scans. The latest scan has detected a vulnerability in a JQuery library used by Bacularis. I'm sharing the link to it:
https://security.snyk.io/vuln/npm:jquery:20120206
We are not directly affected as our servers are not directly accessible on the web, but if you could take a look, it would be appreciated.
Best regards, Philippe.
Marcin Haba
Mar 6, 2023, 10:44:15 PM3/6/23
to Philippe Delalande, bacularis
Hello Philippe,
Thanks for providing information about the jQuery vulnerability. It seems to be an old CVE that affects jQuery package versions lower than 1.9.1.
With Bacularis we provide jQuery in the following version:
Binary deb and rpm packages: jQuery version 3.6.0
Docker image: jQuery version 3.6.0
Installation using Composer: jQuery version 3.6.3
Are you sure that the Snyk tool has on mind jQuery that comes from Bacularis? Could you show the exact path where this jQuery file is placed?
Thanks for your help.
Best regards,
Marcin Haba (gani)
Thanks for providing information about the jQuery vulnerability. It seems to be an old CVE that affects jQuery package versions lower than 1.9.1.
With Bacularis we provide jQuery in the following version:
Binary deb and rpm packages: jQuery version 3.6.0
Docker image: jQuery version 3.6.0
Installation using Composer: jQuery version 3.6.3
Are you sure that the Snyk tool has on mind jQuery that comes from Bacularis? Could you show the exact path where this jQuery file is placed?
Thanks for your help.
Best regards,
Marcin Haba (gani)
--
You received this message because you are subscribed to the Google Groups "bacularis" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bacularis+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/bacularis/c22111c2-5454-4d3b-a4b1-e68993182984n%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
"Greater love hath no man than this, that a man lay down his life for his friends." Jesus Christ
"Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie za przyjaciół swoich." Jezus Chrystus
"Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie za przyjaciół swoich." Jezus Chrystus
Philippe Delalande
Mar 7, 2023, 3:17:54 AM3/7/23
to bacularis
Hello Marcin,
My vulnerability report specifies that:
Product detection result cpe:/a:jquery:jquery:1.8.3 Detected by jQuery Detection Consolidation (OID: 1.3.6.1.4.1.25623.1.0.150658) Summary jQuery is vulnerable to Cross-site Scripting (XSS) attacks. Vulnerability Detection Result Installed version: 1.8.3 Fixed version: 1.9.0
Installation path / port: /var/www/bacularis-app/protected/vendor/npm-asset/qrcodejs/jq,→uery.min.js
And another vulnerability would be located at this location:
path / port: /var/www/bacularis-app/protected/vendor/bower-asset/flotr2/ex ,→amples/lib/jquery-1.7.1.min.js
Solution: Solution type: VendorFix Update to version 1.9.0 or later.
Affected Software/OS jQuery prior to version 1.9.0.
Vulnerability Insight The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more exibility when attempting to construct a malicious payload. In xed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Vulnerability Detection Method Checks if a vulnerable version is present on the target host.
Details: jQuery < 1.9.0 XSS Vulnerability OID:1.3.6.1.4.1.25623.1.0.141636 Version used: 2021-06-11T08:43:18Z Product Detection Result Product: cpe:/a:jquery:jquery:1.8.3 Method: jQuery Detection Consolidation OID: 1.3.6.1.4.1.25623.1.0.150658) References cve: CVE-2012-6708 url: https://bugs.jquery.com/ticket/11290 cert-bund: WID-SEC-2022-0673 cert-bund: CB-K22/0045 cert-bund: CB-K18/1131 dfn-cert: DFN-CERT-2020-0590
Hopefully, this will provide you with more precision.
Best regards, Philippe
Marcin Haba
Mar 9, 2023, 1:15:40 AM3/9/23
to Philippe Delalande, bacularis
Hello Philippe,
Thank you for your detailed report. Now I am seeing it.
Yes, you are right. These old jQuery files comes from Bacularis dependencies. I will try to update them.
Thanks again.
Thank you for your detailed report. Now I am seeing it.
Yes, you are right. These old jQuery files comes from Bacularis dependencies. I will try to update them.
Thanks again.
Best regards,
Marcin Haba (gani)
To view this discussion on the web, visit https://groups.google.com/d/msgid/bacularis/3dd92f38-9f27-47a4-9b6b-4561d00bddban%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Marcin Haba
Mar 10, 2023, 10:53:28 PM3/10/23
to Philippe Delalande, bacularis
Hello Philippe,
I was trying to update the packages that contain the old jQuery file. For the jQuery files in QRCodeJS and Flotr2 unfortunately we don't have any update from the upstream side.
Javascript library projects sometimes include in their repositories some external libraries to prepare a demo or tests. Nevertheless these files are not used in production. Also they are not used by Bacularis. Typically we use only one file from each of this type of projects which is the main library file.
For Flotr2 it is:
bacularis-app/protected/vendor/bower-asset/flotr2/flotr2.js
For QRCodeJS it is:
bacularis-app/protected/vendor/npm-asset/qrcodejs/qrcode.min.js
In projects used by Bacularis we have a couple of jQuery files:
bacularis-app/protected/vendor/npm-asset/qrcodejs/jquery.min.js
bacularis-app/protected/vendor/bower-asset/flotr2/examples/lib/jquery-1.7.1.min.js
bacularis-app/protected/vendor/bower-asset/bootstrap/docs/assets/js/vendor/jquery.min.js
bacularis-app/protected/vendor/bower-asset/bootstrap/js/tests/vendor/jquery.min.js
bacularis-app/protected/vendor/bower-asset/opentip/test/vendor/jquery-1.9.1.js
None of them is used by Bacularis.
Because I am not able to update them in upstream, I would propose you to remove them if you want. This way your tool to detect vulnerabilities will not display any wrong message.
Thanks.
I was trying to update the packages that contain the old jQuery file. For the jQuery files in QRCodeJS and Flotr2 unfortunately we don't have any update from the upstream side.
Javascript library projects sometimes include in their repositories some external libraries to prepare a demo or tests. Nevertheless these files are not used in production. Also they are not used by Bacularis. Typically we use only one file from each of this type of projects which is the main library file.
For Flotr2 it is:
bacularis-app/protected/vendor/bower-asset/flotr2/flotr2.js
For QRCodeJS it is:
bacularis-app/protected/vendor/npm-asset/qrcodejs/qrcode.min.js
In projects used by Bacularis we have a couple of jQuery files:
bacularis-app/protected/vendor/npm-asset/qrcodejs/jquery.min.js
bacularis-app/protected/vendor/bower-asset/flotr2/examples/lib/jquery-1.7.1.min.js
bacularis-app/protected/vendor/bower-asset/bootstrap/docs/assets/js/vendor/jquery.min.js
bacularis-app/protected/vendor/bower-asset/bootstrap/js/tests/vendor/jquery.min.js
bacularis-app/protected/vendor/bower-asset/opentip/test/vendor/jquery-1.9.1.js
None of them is used by Bacularis.
Because I am not able to update them in upstream, I would propose you to remove them if you want. This way your tool to detect vulnerabilities will not display any wrong message.
Thanks.
Best regards,
Marcin Haba (gani)
Philippe Delalande
Mar 13, 2023, 4:02:11 AM3/13/23
to Marcin Haba, bacularis
Hello Marcin,
Thanks for the feedback, I will indeed delete them now.
However, in the future, should I do it every time I update bacularis?
Best regards,
Philippe
Marcin Haba
Mar 13, 2023, 11:33:35 PM3/13/23
to Philippe Delalande, bacularis
Hello Philippe,
These files come from external projects not managed by me nor by any other Bacularis team member. I have no influence on it.
The only thing that I can help is to exclude them from binary deb/rpm packages, however it will not solve installations using Composer.
Please also note that Bacularis does not use and does not include these files. They are placed outside the web server document root directory.
Maybe a good idea would be to open tickets in those projects and ask developers about update.
These files come from external projects not managed by me nor by any other Bacularis team member. I have no influence on it.
The only thing that I can help is to exclude them from binary deb/rpm packages, however it will not solve installations using Composer.
Please also note that Bacularis does not use and does not include these files. They are placed outside the web server document root directory.
Maybe a good idea would be to open tickets in those projects and ask developers about update.
Best regards,
Marcin Haba (gani)
Reply all
Reply to author
Forward
0 new messages