Outdated and vulnerable versions of Javascript libraries

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Can you please detail the vulnerabilities and the affected versions?

It seems like a packaging issue since horizon doesn't bundle those libraries ( https://docs.openstack.org/horizon/latest/contributor/topics/packaging.html#embedded-copies-not-allowed ), therefor this report is likely a class C2 according to VMT's taxonomy ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy ).

/dashboard/static/dashboard/js/5508d0ed7005.js

Detected Javascript library jquery version 1.10.2.
The version was detected from file content.

References:
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

Since the libraries are decoupled from Horizon itself, it's an issue of your OpenStack distributor.

In keeping with recent OpenStack vulnerability management policy changes, no report should remain under private embargo for more than 90 days. Because this report predates the change in policy, the deadline for public disclosure is being set to 90 days from today. If the report is not resolved within the next 90 days, it will revert to our public workflow as of 2020-05-27. Please see http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012721.html for further details.

It doesn't look like this report has seen any activity since my update two months ago, so consider this a friendly reminder:

The embargo for this report is due to expire one month from today, on May 27, and will be switched public on or shortly after that day if it is not already resolved sooner.

Thanks!

The embargo for this report has expired and is now lifted, so it's acceptable to discuss further in public.

I've set our security advisory task for this to Won't Fix as it's a class C2 report per our taxonomy (A vulnerability, but not in OpenStack supported code, e.g., in a dependency): https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Horizon uses xstatic-jquery 1.12.4.1 since Sep 26 2018. 1.12.4 is the latest jquery release.
As Mathias commented above, the maintenance of xstatic-jquery is decoupled with horizon, but horizon is responsible for making horizon work with the latest stable of jquery 1.x series at least.
We now use the latest stable of jquery 1.x so I am marking it as Fix Released. (I don't mark it as Invalid as we used 1.10.x when the bug is reported.)

FYI: Note that the horizon team is considering the switch to jquery 3 but it is still on the way as we hit test failures.