[ICE-11514] jQuery Security Issues analysis - ICEsoft JIRA Issue Tracker

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: EE-4.3.0.GA_P02, EE-3.3.0.GA_P08
Fix Version/s: EE-4.3.0.GA_P03, EE-3.3.0.GA_P09
Component/s: ACE-Components, ICE-Components
Labels:
None
Environment:
ICEfaces components.

Description

The jQuery library used by ICEfaces components has known security vulnerabilities.

See https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html

This JIRA is to analyze these to determine if there is an exposure vector outside of the ICEfaces component code (via the browser) for any of these.

Activity

Descending order - Click to sort in ascending order

Hide

Permalink

Arturo Zambrano added a comment - 23/Jul/21 7:55 PM

More detailed information can be found in this wiki article:

http://www.icesoft.org/wiki/display/ICE/jQuery+Security+Vulnerability+Mitigation

Show

Arturo Zambrano added a comment - 23/Jul/21 7:55 PM More detailed information can be found in this wiki article: http://www.icesoft.org/wiki/display/ICE/jQuery+Security+Vulnerability+Mitigation

Hide

Permalink

Arturo Zambrano added a comment - 06/Jul/21 1:47 PM

Applied fixes to the EE 3.3 maintenance branch.

r53374: Don't copy prototype properties in jQuery.extend() (Fix for vulnerability CVE-2019-11358).

r53375: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023).

r53376: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251).

r53377: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).

Show

Arturo Zambrano added a comment - 06/Jul/21 1:47 PM Applied fixes to the EE 3.3 maintenance branch. r53374: Don't copy prototype properties in jQuery.extend() (Fix for vulnerability CVE-2019-11358). r53375: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023). r53376: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251). r53377: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).

Hide

Permalink

Arturo Zambrano added a comment - 25/Jun/21 10:03 AM

r53369: Fix for vulnerability CVE-2019-11358.

r53370: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023).

r53371: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251).

r53372: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).

Show

Arturo Zambrano added a comment - 25/Jun/21 10:03 AM r53369: Fix for vulnerability CVE-2019-11358. r53370: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023). r53371: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251). r53372: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).

People

Assignee:

Arturo Zambrano

Reporter:

Ken Fyten

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

24/Mar/21 1:43 PM

Updated:

29/Oct/21 5:24 PM

Resolved:

29/Sep/21 1:20 PM