Outdated and vulnerable versions of Javascript libraries

Bug #1721193 reported by Martin Ivanov on 2017-10-04
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Undecided
Unassigned
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

One or more vulnerabilities were reported for few outdated version of the Javascript libraries, used by horizon.
Suggestion is to upgrade to the latest version.

 /dashboard/static/dashboard/js/5508d0ed7005.js
 /dashboard/static/horizon/lib/jquery/jquery.js
 /dashboard/static/horizon/lib/jquery/jquery.min.js
 /dashboard/static/horizon/lib/jquery_migrate/jquery-migrate.js
 /dashboard/static/horizon/lib/jquery_migrate/jquery-migrate.min.js
 /dashboard/static/horizon/lib/jquery_ui/ui/jquery-ui.js
 /dashboard/static/horizon/lib/jquery_ui/ui/jquery.ui.dialog.js
 /dashboard/static/horizon/lib/jquery_ui/ui/minified/jquery-ui.min.js

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
description: updated

Can you please detail the vulnerabilities and the affected versions?

It seems like a packaging issue since horizon doesn't bundle those libraries ( https://docs.openstack.org/horizon/latest/contributor/topics/packaging.html#embedded-copies-not-allowed ), therefor this report is likely a class C2 according to VMT's taxonomy ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy ).

Martin Ivanov (martin76) wrote :

/dashboard/static/dashboard/js/5508d0ed7005.js

Detected Javascript library jquery version 1.10.2.
The version was detected from file content.

References:
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

Changed in ossa:
status: Incomplete → New
Matthias Runge (mrunge) wrote :

Since the libraries are decoupled from Horizon itself, it's an issue of your OpenStack distributor.

Changed in horizon:
status: New → Incomplete
Changed in ossa:
status: New → Incomplete
Jeremy Stanley (fungi) wrote :

In keeping with recent OpenStack vulnerability management policy changes, no report should remain under private embargo for more than 90 days. Because this report predates the change in policy, the deadline for public disclosure is being set to 90 days from today. If the report is not resolved within the next 90 days, it will revert to our public workflow as of 2020-05-27. Please see http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012721.html for further details.

description: updated
Jeremy Stanley (fungi) wrote :

It doesn't look like this report has seen any activity since my update two months ago, so consider this a friendly reminder:

The embargo for this report is due to expire one month from today, on May 27, and will be switched public on or shortly after that day if it is not already resolved sooner.

Thanks!

Jeremy Stanley (fungi) on 2020-05-19
description: updated
Jeremy Stanley (fungi) wrote :

The embargo for this report has expired and is now lifted, so it's acceptable to discuss further in public.

description: updated
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.