Uploaded image for project: 'HAL'
  1. HAL
  2. HAL-1623

Old versions of bootstrap and jquery with CVEs used in webconsole

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 3.5.11.Final
    • None
    • None
    • None

      There are some old javascript libraries included in 'externla.min.js' resource which is fetched for 'console/index.html':

      Out-­of-­date Version (Bootstrap)
      Identified Version
      3.3.7
      Latest Version
      3.4.1 (in this branch)

      Known Vulnerabilities in this Version:

      • bootstrap.js Cross­Site Scripting (XSS) Vulnerability
        External References
        CVE­2018­14040
      • bootstrap.js Cross­Site Scripting (XSS) Vulnerability
        External References
        CVE­2018­14042
      • bootstrap.js Cross­Site Scripting (XSS) Vulnerability
        External References
        CVE­2016­10735

      jQuery v3.3.1, contains CVE - https://www.cvedetails.com/cve/CVE-2019-11358/
      current version v3.4.1

      To be honest, I am not expert in this area, I have not deeply investigate these CVE thus it is possible that our Web Console is not affected by them and as such there is no urgent need to perform bootstrap or jQuery libraries update. Not sure though...

            hpehl@redhat.com Harald Pehl
            jstourac@redhat.com Jan Stourac
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: