StarlingX

[Debian] Medium CVE: CVE-2022-31160 jqueryui: potentially vulnerable to cross-site scripting

Bug #2052923 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Wentao Zhang

Bug Description

CVE-2022-31160: https://nvd.nist.gov/vuln/detail/CVE-2022-31160

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Base Score: Medium

Reference:

['libjs-jquery-ui_1.12.1+dfsg-8+deb11u1_all.deb===>libjs-jquery-ui_1.12.1+dfsg-8+deb11u2_all.deb']

CVE References

Yue Tao (wrytao)
summary: - [Debian] Medium CVE: CVE-2022-31160 jqueryui
+ [Debian] Medium CVE: CVE-2022-31160 jqueryui: potentially vulnerable to
+ cross-site scripting
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/910296

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/910296
Committed: https://opendev.org/starlingx/tools/commit/e0cc551fcb1efb3308f1dd8ef53a8764f2a75570
Submitter: "Zuul (22348)"
Branch: master

commit e0cc551fcb1efb3308f1dd8ef53a8764f2a75570
Author: Wentao Zhang <email address hidden>
Date: Tue Feb 27 13:38:44 2024 +0800

    Debian: jqueryui : fix CVE-2022-31160

    Upgrade libjs-jquery-ui to 1.12.1+dfsg-8+deb11u2

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2022-31160

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

    Closes-bug: #2052923

    Change-Id: I588f6c917d8123fc15444ccca1337e5d316fc9df
    Signed-off-by: Wentao Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Wentao Zhang (wzhang4)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.