CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2022-31160
search cancel

CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2022-31160

book

Article ID: 280539

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

Local security scan shows the following CVEs

  • CVE-2021-41182: XSS in the `altField` option of the Datepicker widget
  • CVE-2021-41183: XSS Vulnerability on text options of jQuery UI datepicker
  • CVE-2021-41184: XSS in the `of` option of the `.position()` util
  • CVE-2022-31160: XSS when refreshing a checkboxradio with an HTML-like initial text label

Environment

Identity Suite 14.x

Cause

JQueryUI version 1.12.1

Resolution

The scan results are caused by JQueryUI version 1.12.1. IGA version 14.4 and 14.5 currently use this JQueryUI version.  L2 has confirmed the backend code.  IGA is not vulnerable to the CVEs with JQueryUI version 1.12.1.  IGA does not use the vulnerable functions and they are not accessible to be exploited.

The current JQueryUI version used, 1.12.1 has been confirmed not vulnerable in our current 14.4 and 14.5 releases.  The vulnerable functions are not used and not exploitable.

JQueryUI version 1.13.2 is under review for a future release of V15.