Automic Web Interface (AWI) 12.2.5 vulnerability

book

Article ID: 194944

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic Workload Automation - Automation Engine

Issue/Introduction

Version 12.2.5 we have a vulnerability, we need help to resolve this issue.

URL  : https://automic.domain.domainname.com.tr/VAADIN/widgetsets/UC4WebUIWidgetset/jquery-1.7.1.min.js

Installed version : 1.7.1

Fixed version     : 3.5.0


CVE: CVE-2020-11022

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022” 


Cause

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.


The AWI 12.2.5 comes with jQuery version 1.7.1

https://automic.domain.domainname.com.tr/VAADIN/widgetsets/UC4WebUIWidgetset/jquery-1.7.1.min.js

The AWI 12.3.2 and 12.3.3 comes with jQuery version  3.3.1.

<script type="text/javascript" src="/awi/VAADIN/widgetsets/UC4WebUIWidgetset/jquery-3.3.1.min.js"></script>

Environment

Release : 12.2

Component : AUTOMIC WEB INTERFACE

Resolution

There are no functional issues. It is a vulnerability identified with JQUERY. This has been fixed in jQuery 3.5.0.

The engineering team has accepted this as a bug. This will be fixed in a future release.

Customers are invited to register into the Support Portal to get information about products/features and new fixes will be referenced accordingly.

Automic 12.3.4 has been released that resolves this in version 12.3.