0024672: Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042) - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0024672	mantisbt	security	public	2018-08-16 08:53	2019-09-20 10:26

Reporter	Kyle_Katarn	Assigned To	atrol
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.16.0
Target Version	2.20.0	Fixed in Version	2.20.0

Summary	0024672: Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042)
Description	Mantis is depending on Boostrap 3.3.6 which has some vulnerabilities (3 medium according to Netsparker). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14040 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14041 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14042 Consider update to a more recent version.
Tags	No tags attached.

dregad 2018-08-16 11:22 developer ~0060442 Last edited: 2018-08-16 11:32	Thanks for the heads up, we'll look into it. EDIT: After a quick look at changes from 3 to 4, and considering our use of the ACE admin template, this is no small undertaking... don't hold your breath ;-)

atrol 2018-08-16 11:44 developer ~0060443	After a quick look at changes from 3 to 4, and considering our use of the ACE admin template, this is no small undertaking Using 3.4.0 might be an option https://github.com/twbs/bootstrap/commits/v3.4.0-dev From what I see, they seem to fix security issues in this branch https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d

dregad 2018-08-17 05:14 developer ~0060446	Using 3.4.0 might be an option Assuming they ever release it... https://github.com/twbs/bootstrap/issues/25679

Kyle_Katarn 2018-08-17 06:22 reporter ~0060447	Would you please edit my issue's title in order to change it to "Fix CVE-2018-14040, CVE-2018-14041, CVE-2018-14042" ? (which is more relevant)

atrol 2018-12-30 15:42 developer ~0061119	PR https://github.com/mantisbt/mantisbt/pull/1432

Kyle_Katarn 2018-12-30 15:53 reporter ~0061120	Thanks !!

vboctor 2019-02-24 16:39 manager ~0061568	@atrol should this be applied 2.19.1?

atrol 2019-02-25 09:55 developer ~0061571	@vboctor this is a security issue, but I did not investigate if there is a way to use the leak in MantisBT. I don't expect that backporting to 2.19.1 will break something, but I don't have time for tests. So the answer is: Maybe ;-)

MantisBT: master fd56979f 2018-12-30 10:40 atrol Details Diff	Update Bootstrap to 3.4.0 Fixes 0024672		Affected Issues 0024672
	mod - core/constant_inc.php		Diff File
	rm - css/bootstrap-3.3.6.css		Diff
	rm - css/bootstrap-3.3.6.min.css		Diff
	add - css/bootstrap-3.4.0.css		Diff File
	add - css/bootstrap-3.4.0.min.css		Diff File
	rm - js/bootstrap-3.3.6.min.js		Diff
	add - js/bootstrap-3.4.0.js		Diff File
	add - js/bootstrap-3.4.0.min.js		Diff File