ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

JQuery Version 1.2 Identified by Internal Pen Testing and requires remediation

book

Article ID: 227792

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

 

Problem: The remote web server is affected by multiple cross site scripting vulnerability.

Internal Pen testing found Older versions of JQuery being used that has multiple cross site scripting vulnerability.

Recommendation: is to Upgrade to JQuery version 3.5.0 or later.

 

Environment

Release : 14.3 CP2

Component : Virtual Appliance

Resolution

Identity Portal has required defense mechanism implemented to handle Cross Site Scripting attacks when a cross-domain Ajax request is performed, also it's frontend API doesn't allow to extend the native Object.prototype source object as well as doesn't allow to execute jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) to carry out the execution of untrusted code. Identity Portal is not vulnerable for the vulnerability issues mentioned as part of CVE-2015-9251, CVE-2019-11358 and CVE-2020-11022 due to the lower version of AngularJS and JQuery.
   
If there's any XSS attack or Object.prototype source object pollution is noticed then please share the specific use case details and we would handle that on an urgent basis. 

-----

14.3 CP2 does use an older version of Jquery.  The Vulnerability is not exploitable in 14.3 CP2.  It is not being fixed in 14.3 due to major code changes being needed. The vast majority of the JQuery versions were upgraded in 14.4 with all the new code changes.  This will not be fixed in 14.3 or its CPs.  You will need to upgrade to 14.4 where code changes for this has been made and this continues to not be exploitable. We already have more robust implementation of the same function already with keen filtering of all the HTML tags where there is no scope to execute malicious scripts as part of the response:


Customer's ask:
jQuery.htmlPrefilter = function( html ) {
         return html;
};
 
Our existing implementation:
 
jQuery.extend( {
                      htmlPrefilter: function( html ) {
                      return html.replace( rxhtmlTag, "<$1></$2>" );
},
rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi,