Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-4.3.0.GA_P02, EE-3.3.0.GA_P08
-
Fix Version/s: EE-4.3.0.GA_P03, EE-3.3.0.GA_P09
-
Component/s: ACE-Components, ICE-Components
-
Labels:None
-
Environment:ICEfaces components.
Description
The jQuery library used by ICEfaces components has known security vulnerabilities.
See https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
This JIRA is to analyze these to determine if there is an exposure vector outside of the ICEfaces component code (via the browser) for any of these.
See https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
This JIRA is to analyze these to determine if there is an exposure vector outside of the ICEfaces component code (via the browser) for any of these.
Activity
| Field | Original Value | New Value |
|---|---|---|
| Fix Version/s | EE-4.3.0.GA_P03 [ 13570 ] | |
| Fix Version/s | EE-3.3.0.GA_P09 [ 13781 ] |
| Assignee | Arturo Zambrano [ artzambrano ] |
Applied fixes to the EE 3.3 maintenance branch.
r53374: Don't copy prototype properties in jQuery.extend() (Fix for vulnerability CVE-2019-11358).
r53375: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023).
r53376: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251).
r53377: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).
Show
Arturo Zambrano
added a comment - Applied fixes to the EE 3.3 maintenance branch.
r53374: Don't copy prototype properties in jQuery.extend() (Fix for vulnerability CVE-2019-11358).
r53375: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023).
r53376: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251).
r53377: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).
| Repository | Revision | Date | User | Message |
| ICEsoft Public SVN Repository | #53383 | Fri Jul 16 18:58:56 MDT 2021 | art.zambrano | |
| Files Changed | ||||
MODIFY
/icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/jquery/ui/readme.txt
MODIFY
/icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/jquery/readme.txt
|
More detailed information can be found in this wiki article:
http://www.icesoft.org/wiki/display/ICE/jQuery+Security+Vulnerability+Mitigation
Show
Arturo Zambrano
added a comment - More detailed information can be found in this wiki article:
http://www.icesoft.org/wiki/display/ICE/jQuery+Security+Vulnerability+Mitigation
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Status | Resolved [ 5 ] | Closed [ 6 ] |
r53369: Fix for vulnerability CVE-2019-11358.
r53370: Make jQuery.htmlPrefilter an identity function (Fix for vulnerabilities CVE-2020-11022 and CVE-2020-11023).
r53371: Only execute scripts if they have explicitly set the 'dataType' property (Fix for vulnerability CVE-2015-9251).
r53372: Escape 'closeText' option in Dialog widget (Fix for vulnerability CVE-2016-7103).