search cancel

Jasper Vulnerable javascript library: jQuery 1.11.0

book

Article ID: 215032

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Scan result:

Vulnerable javascript library: jQuery
version: 1.11.0
script uri: https://test.lab.com/jasperserver-pro/runtime/4B5D4A6F/optimized-scripts/bower_components/jquery/dist/jquery.js
Details:
CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432).
Solution: jQuery version 1.12.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). NOTE: Fix was reverted back in 1.12.2, so version 1.12.3 and above but below 3.0.0-beta1 are vulnerable as well. Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates.

In jQuery versions on or above 1.8.0 and below 1.12.0 $.parseHTML has (lots of) XSS. In these versions parseHTML() executes scripts in event handlers. Please refer following resource for more details: https://bugs.jquery.com/ticket/11974, http://research.insecurelabs.org/jquery/test/

CVE-2019-11358: jQuery versions below 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. An unsanitized source object containing an enumerable __proto__ property could extend the native Object.prototype. Please refer following resources for more details: https://blog.jquery.com/2019/04/10/jquery-3-4-0- released/, https://nvd.nist.gov/vuln/detail/CVE-2019-11358, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b, https://nvd.nist.gov/vuln/detail/CVE-2019-11358.

jQuery versions below 3.5.0 used a regex in its jQuery.htmlPrefilter method. This regex which is used to ensure that all tags are XHTML-compliant could introduce a vulnerability to Cross-site Scripting(XSS) attack. Please refer to vendor documentation (https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and https://jquery.com/upgrade-guide/3.5/) for the security fix details.

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. Please refer https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 and https://nvd.nist.gov/vuln/ detail/CVE-2020-11022 for details.
Found on the following pages (only first 10 pages are reported):
https://test.lab.com/jasperserver-pro/login.html
https://test.lab.com/jasperserver-pro/favicon.ico
https://test.lab.com/jasperserver-pro/login.html# https://test.lab.com/jasperserver-pro/runtime/4B5D4A6F/optimized-scripts/bower_components/jquery/dist/favicon.ico https://test.lab.com/jasperserver-pro/runtime/4B5D4A6F/optimized-scripts/bower_components/jquery/dist/list.jsp https://test.lab.com/jasperserver-pro/_themes/4CE1222C/favicon.ico https://test.lab.com/jasperserver-pro/_themes/4CE1222C/list.jsp https://test.lab.com/jasperserver-pro/runtime/4B5D4A6F/optimized-scripts/bower_components/requirejs/favicon.ico https://test.lab.com/jasperserver-pro/runtime/4B5D4A6F/optimized-scripts/favicon.ico https://test.lab.com/jasperserver-pro/runtime/4B5D4A6F/optimized-scripts/bower_components/requirejs/list.jsp

Environment

JasperReports Server r7.1.1

Resolution

JasperReports Server r7.1.1 is going to be EOS soon.

Considering upgrading it to a newer version and rerun the scan.

Newer versions use an updated version of the JQuery library.