ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
Date Fri, 24 May 2019 08:17:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16847339#comment-16847339
] 

Jacques Le Roux commented on OFBIZ-10678:
-----------------------------------------

h3. R18


{noformat}
C:\projectsASF\release18.12>retire
Downloading https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json
...
Downloading https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json
...
C:\projectsASF\release18.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
 ? bootstrap 4.0.0 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in
data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331;
https://github.com/twb
s/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property
of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
medium; issue: 20184,
summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE
-2018-14042; https://github.com/twbs/bootstrap/issues/20184
C:\projectsASF\release18.12\plugins\solr\webapp\solr\js\require.js
 ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290,
summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201
2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jq
uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary:
jQuery before 3.4.0,
 as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...)
because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.
gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
C:\projectsASF\release18.12\plugins\solr\webapp\solr\libs\angular.js
 ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap
can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox;
https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP
severi
ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md
https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS in $sanitize
in Safari/Firefo
x; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
C:\projectsASF\release18.12\plugins\solr\webapp\solr\libs\angular.min.js
 ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap
can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox;
https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP
severi
ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md
https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS in $sanitize
in Safari/Firefo
x; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
C:\projectsASF\release18.12\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
 ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd
party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.c
om/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML(
) executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summ
ary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles
jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-re
leased/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
C:\projectsASF\release18.12\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
 ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug:
11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE
-2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blo
g.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary:
jQuery before 3.
4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {},
...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.n
ist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
C:\projectsASF\release18.12\themes\common-theme\webapp\common\js\jquery\jquery-3.2.1.js
 ? jquery 3.2.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary: jQuery
before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,
{}, ...) becaus
e of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722c
d0808619b1b
C:\projectsASF\release18.12\themes\common-theme\webapp\common\js\jquery\jquery-3.2.1.min.js
 ? jquery 3.2.1.min has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary:
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,
{}, ...) be
cause of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f
722cd0808619b1b
{noformat}


> CLONE - Check embedded Javascript libs vulnerabilities using retire.js
> ----------------------------------------------------------------------
>
>                 Key: OFBIZ-10678
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10678
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12, Release Branch
18.12
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Blocker
>              Labels: Javascript, retire.js, vulnerabilities
>
> 3 years ago I created the page https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and here are the
results:
> h3. Trunk
> {code}
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
>  ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: 20184,
summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, s
> ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042;
https://github.co
> m/twbs/bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
>  ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, summary:
XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, summary:
>  XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042;
https://github.com/twbs/
> bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js
>  ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug:
11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708
http://research.insecu
> relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request
may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
https://
> nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize
in Safari/Firefox; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize
in Safari/Firefox; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
>  ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-
> 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts
in event handlers; https://bugs.jquery.
> com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
>  ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708
http://research.in
> securelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request
may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
http
> s://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
> {code}
> h3. R17
> {code}
> C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
>  ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: 20184,
summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184
seve
> rity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS
in data-container p
> roperty of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
> C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
>  ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, summary:
XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184
severity: m
> edium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS
in data-container property
>  of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\require.js
>  ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug:
11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201
> 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jq
> uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
> surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox;
https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP
severi
> ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md
severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8
> f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.min.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
> surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox;
https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP
severi
> ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md
severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8
> f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
>  ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.c
> om/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML(
> ) executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
>  ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE
> -2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blo
> g.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> {code}
> h3. R16
> {code}
>  ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd
party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/
> 2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() e
> xecutes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-1.11.0.min.js
>  ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.
> com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML
> () executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js
>  ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug: 11290, summary:
Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\specialpurpose\solr\webapp\solr\js\require.js
>  ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug:
11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201
> 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jq
> uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js
>  ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium; summary: open
redirect leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.js
>  ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summary: open redirect
leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
> {code}
> So it's time to update again the Javascript embedded libs. I'll check what I have been
done with OFBIZ-9269  before...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message