Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-4.3.0.GA_P06, EE-3.3.0.GA_P12
-
Fix Version/s: EE-4.3.0.GA_P07, EE-3.3.0.GA_P13
-
Component/s: ACE-Components
-
Labels:None
-
Environment:Any
Description
A customer brought to our attention that vulnerability CVE-2010-5312 may have not been addressed yet in ICEfaces. Indeed, it doesn't look like the fix for this vulnerability has been applied to our code.
The name of the vulnerability indicates that it is very old, but, according to the references, it wasn't named and documented until much later, probably around 2014. There was a fix for it in 2012, but it wasn't labelled with the name of this vulnerability.
These are some references about this vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312
https://jqueryui.com/changelog/1.10.0/
https://bugs.jqueryui.com/ticket/6016/
https://github.com/advisories/GHSA-wcm2-9c89-wmfm
https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3
In any case, this would only be a vulnerability in ICEfaces if the end user is allowed to input arbitrary content to be put inside a dialog's title (such as via the 'header' attribute) and if somehow this content is not escaped. By default, ICEfaces escapes all content submitted by the user when sending it to the server for processing.
The name of the vulnerability indicates that it is very old, but, according to the references, it wasn't named and documented until much later, probably around 2014. There was a fix for it in 2012, but it wasn't labelled with the name of this vulnerability.
These are some references about this vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312
https://jqueryui.com/changelog/1.10.0/
https://bugs.jqueryui.com/ticket/6016/
https://github.com/advisories/GHSA-wcm2-9c89-wmfm
https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3
In any case, this would only be a vulnerability in ICEfaces if the end user is allowed to input arbitrary content to be put inside a dialog's title (such as via the 'header' attribute) and if somehow this content is not escaped. By default, ICEfaces escapes all content submitted by the user when sending it to the server for processing.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
Applied fix for vulnerability CVE-2010-5312 to our jQuery UI source code.
The fix was discussed in this bug tracker ticket:
https://bugs.jqueryui.com/ticket/6016/
This is the link to the actual fix on Git Hub:
https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3
The fix was adapted to our version of jQueryu UI and tested.
Committed at revision 53615.
Closing this JIRA as fixed.