I checked the Ubuntu code, assuming the scanned code is all in /usr/lib/python3/dist-packages/horizon/xstatic/, here are my findings. I haven't assessed whether the code is actually vulnerable from the horizon dashboard.
## jQuery 1.12.4
This appears to be patched in focal:
ubuntu@juju-e9cc66-zaza-906d385905ca-7:/usr/lib/python3/dist-packages/horizon/xstatic$ grep -r -A 5 2432
pkg/angular/data/angular-scenario.js:// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
pkg/angular/data/angular-scenario.js-jQuery.ajaxPrefilter( function( s ) {
pkg/angular/data/angular-scenario.js- if ( s.crossDomain ) {
pkg/angular/data/angular-scenario.js- s.contents.script = false;
pkg/angular/data/angular-scenario.js- }
pkg/angular/data/angular-scenario.js-} );
## jQuery Migrate 1.2.1
This appears to be patched in focal:
ubuntu@juju-e9cc66-zaza-906d385905ca-7:/usr/lib/python3/dist-packages/horizon/xstatic$ grep -r -A 2 'Strict HTML'
pkg/jquery/data/jquery.js: // Strict HTML recognition (#11290: must start with <)
pkg/jquery/data/jquery.js- rquickExpr = /^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,
pkg/jquery/data/jquery.js-
--
pkg/angular/data/angular-scenario.js: // Strict HTML recognition (#11290: must start with <)
pkg/angular/data/angular-scenario.js- // Shortcut simple #id case for speed
pkg/angular/data/angular-scenario.js- rquickExpr = /^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]+))$/,
## AngularJS 1.5.8
This appears to be unpatched in all Ubuntu and upstream releases, see the following files:
This is fixed upstream in 1.8.2.0 of https://opendev.org/openstack/xstatic-angular, however
upper-constraints for stable/ussuri->master are still limited to 1.5.8.0 [1], which doesn't
have the fix.
I checked the Ubuntu code, assuming the scanned code is all in /usr/lib/ python3/ dist-packages/ horizon/ xstatic/ , here are my findings. I haven't assessed whether the code is actually vulnerable from the horizon dashboard.
## jQuery 1.12.4
This appears to be patched in focal:
ubuntu@ juju-e9cc66- zaza-906d385905 ca-7:/usr/ lib/python3/ dist-packages/ horizon/ xstatic$ grep -r -A 5 2432 data/angular- scenario. js:// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) data/angular- scenario. js-jQuery. ajaxPrefilter( function( s ) { data/angular- scenario. js- if ( s.crossDomain ) { data/angular- scenario. js- s.contents.script = false; data/angular- scenario. js- } data/angular- scenario. js-} );
pkg/angular/
pkg/angular/
pkg/angular/
pkg/angular/
pkg/angular/
pkg/angular/
## jQuery Migrate 1.2.1
This appears to be patched in focal:
ubuntu@ juju-e9cc66- zaza-906d385905 ca-7:/usr/ lib/python3/ dist-packages/ horizon/ xstatic$ grep -r -A 2 'Strict HTML' data/jquery. js: // Strict HTML recognition (#11290: must start with <) data/jquery. js- rquickExpr = /^(?:\s* (<[\w\W] +>)[^>] *|#([\w- ]*))$/, data/jquery. js- data/angular- scenario. js: // Strict HTML recognition (#11290: must start with <) data/angular- scenario. js- // Shortcut simple #id case for speed data/angular- scenario. js- rquickExpr = /^(?:\s* (<[\w\W] +>)[^>] *|#([\w- ]+))$/,
pkg/jquery/
pkg/jquery/
pkg/jquery/
--
pkg/angular/
pkg/angular/
pkg/angular/
## AngularJS 1.5.8
This appears to be unpatched in all Ubuntu and upstream releases, see the following files:
/usr/lib/ python3/ dist-packages/ horizon/ xstatic/ pkg/angular/ data/angular. js python3/ dist-packages/ horizon/ xstatic/ pkg/angular/ data/angular- scenario. js
/usr/lib/
This is fixed upstream in 1.8.2.0 of https:/ /opendev. org/openstack/ xstatic- angular, however ussuri- >master are still limited to 1.5.8.0 [1], which doesn't
upper-constraints for stable/
have the fix.
[1] /github. com/openstack/ requirements/ blob/master/ upper-constrain ts.txt# L95 /github. com/openstack/ requirements/ blob/stable/ ussuri/ upper-constrain ts.txt# L169
https:/
https:/