Uploaded image for project: 'HAL'
  1. HAL
  2. HAL-1623

Old versions of bootstrap and jquery with CVEs used in webconsole

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 3.5.11.Final
    • None
    • None
    • None

    Description

      There are some old javascript libraries included in 'externla.min.js' resource which is fetched for 'console/index.html':

      Out-­of-­date Version (Bootstrap)
      Identified Version
      3.3.7
      Latest Version
      3.4.1 (in this branch)

      Known Vulnerabilities in this Version:

      • bootstrap.js Cross­Site Scripting (XSS) Vulnerability
        External References
        CVE­2018­14040
      • bootstrap.js Cross­Site Scripting (XSS) Vulnerability
        External References
        CVE­2018­14042
      • bootstrap.js Cross­Site Scripting (XSS) Vulnerability
        External References
        CVE­2016­10735

      jQuery v3.3.1, contains CVE - https://www.cvedetails.com/cve/CVE-2019-11358/
      current version v3.4.1

      To be honest, I am not expert in this area, I have not deeply investigate these CVE thus it is possible that our Web Console is not affected by them and as such there is no urgent need to perform bootstrap or jQuery libraries update. Not sure though...

      Attachments

        Issue Links

          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-16093 Upgrade HAL to 3.5.11.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-16094 Upgrade HAL to 3.5.11.Final (WildFly 26.1)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Task - Represents a small unit of work that is not end-user facing. HAL-1542 Replace Grunt with Webpack / Parcel 2.0

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              hpehl@redhat.com Harald Pehl
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: