Javascript libraries with vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Confirmed
|
High
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
horizon (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
A security scan executed by a customer detected javascript libraries with known vulnerabilities in horizon dashboard on focal ussuri (3:18.3.
# libraries with vulnerabilities
## jQuery 1.12.4
* https:/
## jQuery Migrate 1.2.1
* http://
## AngularJS 1.5.8
* https:/
* https:/
* https:/
The libraries are included via https:/
Is it possible to updated these libraries and release an updated package?
CVE References
information type: | Private Security → Public |
Changed in horizon: | |
status: | New → Confirmed |
importance: | Undecided → High |
It looks like the Ubuntu package maintainers have already picked this up. From an upstream OpenStack perspective, we don't mandate use of vulnerable versions of dependencies, as the suggested version ranges in the requirements.txt you linked can confirm.