You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2017/03/18 13:03:41 UTC

[jira] [Created] (OFBIZ-9269) Check embedded Javascript libs vulnerabilities using retire.js

Jacques Le Roux created OFBIZ-9269:
--------------------------------------

             Summary: Check embedded Javascript libs vulnerabilities using retire.js
                 Key: OFBIZ-9269
                 URL: https://issues.apache.org/jira/browse/OFBIZ-9269
             Project: OFBiz
          Issue Type: Sub-task
          Components: ALL COMPONENTS
    Affects Versions: Trunk
            Reporter: Jacques Le Roux


1+ years ago I created the page https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
I just checked again and here are the results

{code}
C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery-1.11.0.js
 ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
 
C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js
 ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/

C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery-1.11.0.min.js
 ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\js\require.js
 ? jquery 1.7.1 has known vulnerabilities: severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\angular.min.js
 ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
 https://github.com/angular/angular.js/blob/master/CHANGELOG.md

C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\angular.js
 ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
 https://github.com/angular/angular.js/blob/master/CHANGELOG.md

C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
 ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.js
 ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summary: open redirect leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
 
C:\projectsASF\ofbiz-framework\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js
 ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium; summary: open redirect leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
 
C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
 ? jquery 1.7.2.min has known vulnerabilities: severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/ severity:medium; issue: 2432, summary: 3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
 
C:\projectsASF\ofbiz-framework\plugins\birt\webapp\birt\webcontent\birt\ajax\lib\prototype.js
 ? prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE: CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
{code}

So it's time to update again the Javascript embedded libs



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Re: [jira] [Created] (OFBIZ-9269) Check embedded Javascript libs vulnerabilities using retire.js

Posted by Pierre Smits <pi...@gmail.com>.

Great initiative/follow-up, Jacques!

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Sat, Mar 18, 2017 at 2:03 PM, Jacques Le Roux (JIRA) <ji...@apache.org>
wrote:

> Jacques Le Roux created OFBIZ-9269:
> --------------------------------------
>
>              Summary: Check embedded Javascript libs vulnerabilities using
> retire.js
>                  Key: OFBIZ-9269
>                  URL: https://issues.apache.org/jira/browse/OFBIZ-9269
>              Project: OFBiz
>           Issue Type: Sub-task
>           Components: ALL COMPONENTS
>     Affects Versions: Trunk
>             Reporter: Jacques Le Roux
>
>
> 1+ years ago I created the page https://cwiki.apache.org/
> confluence/display/OFBIZ/About+retire.js
> I just checked again and here are the results
>
> {code}
> C:\projectsASF\ofbiz-framework\framework\images\
> webapp\images\jquery\jquery-1.11.0.js
>  ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute; https://github.com/jquery/
> jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-
> released/
>
> C:\projectsASF\ofbiz-framework\framework\images\
> webapp\images\jquery\jquery-migrate-1.2.1.js
>  ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug:
> 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.
> org/jquery/test/
>
> C:\projectsASF\ofbiz-framework\framework\images\
> webapp\images\jquery\jquery-1.11.0.min.js
>  ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue:
> 2432, summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/
> 01/08/jquery-2-2-and-1-12-released/
>
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\js\require.js
>  ? jquery 1.7.1 has known vulnerabilities: severity: medium; bug: 11290,
> summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue:
> 2432, summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/
> 01/08/jquery-2-2-and-1-12-released/
>
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\
> solr\libs\angular.min.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> The attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity:
> medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#
> issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severity: medium;
> summary: DOS in $sanitize;
>  https://github.com/angular/angular.js/blob/master/CHANGELOG.md
>
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\solr\libs\angular.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary:
> The attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity:
> medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#
> issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severity: medium;
> summary: DOS in $sanitize;
>  https://github.com/angular/angular.js/blob/master/CHANGELOG.md
>
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\
> solr\libs\jquery-2.1.3.min.js
>  ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue:
> 2432, summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/
> 01/08/jquery-2-2-and-1-12-released/
>
> C:\projectsASF\ofbiz-framework\framework\images\
> webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.js
>  ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium;
> summary: open redirect leads to cross site scripting;
> http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-
> jquery-mobile-xss.html
>
> C:\projectsASF\ofbiz-framework\framework\images\
> webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js
>  ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium;
> summary: open redirect leads to cross site scripting;
> http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-
> jquery-mobile-xss.html
>
> C:\projectsASF\ofbiz-framework\plugins\solr\webapp\
> solr\js\lib\jquery-1.7.2.min.js
>  ? jquery 1.7.2.min has known vulnerabilities: severity: medium; bug:
> 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.
> org/jquery/test/ severity:medium; issue: 2432, summary: 3rd party CORS
> request may execute; https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>
> C:\projectsASF\ofbiz-framework\plugins\birt\webapp\
> birt\webcontent\birt\ajax\lib\prototype.js
>  ? prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE:
> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
> {code}
>
> So it's time to update again the Javascript embedded libs
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.3.15#6346)
>