View Issue Details

IDProjectCategoryView StatusLast Update
0026384mantisbtsecuritypublic2019-12-09 15:04
Reporterhanno Assigned Todregad  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionduplicate 
Product Version2.22.1 
Summary0026384: Outdated jquery and bootstrap copies with known vulnerabilities
Description

The bootstrap code contains two copies of jquery:
./js/jquery-2.2.4.min.js
./vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML/Renderer/Template/js/jquery.min.js (version 1.11.3)

And also a copy of bootstrap 3.3.4:
./vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML/Renderer/Template/css/bootstrap.min.css

Both have known vulnerabilities, e.g. [1][2] (which doesn't necessarily mean these are exploitable in the way bootstrap/jquery is used within mantis, these js/css framework vulns are often very specific to certain usecases - still I think known vulnerable components should be updated).

The latter two seem to be part of php-code-coverage, which has recently updated these:
https://github.com/sebastianbergmann/php-code-coverage/commit/cfc7f556bef3458d4b052c76579c376bc4b96205
https://github.com/sebastianbergmann/php-code-coverage/commit/0e6ad854dc76bd6751e3b3b15aa78e6b8605996f

So updating the bundled php-code-coverage would fix those.

[1] https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
[2] https://www.cvedetails.com/cve/CVE-2019-11358/

TagsNo tags attached.

Relationships

duplicate of 0026357 acknowledged Vulnerability from library JQuery 2.2.4 
related to 0026385 closeddregad Release packages and nightly build should not include development dependencies 

Activities

dregad

dregad

2019-11-25 07:33

developer   ~0063138

Thanks for the report.

The problem with jQuery 2.2.4 has already been reported (see 0026357), so I'm closing as duplicate.

With regards to Bootstrap, the issue is basically the same, even worse actually considering that it is very closely tied in to the ACE admin template we're using. Unfortunately, we the latter is no longer supported so I'm not sure how this will be addressed. I guess at some point we'll have to switch to another template. Long story short, we're stuck with Bootstrap 3 for now, and we are using the latest available release (3.4.1).

As for the phpunit dependency you referenced, please note that this is only used for development purposes, so I don't believe a production MantisBT would be vulnerable. That being said, I just realized that our release build script is not calling composer with the --no-dev option, so these get included even though they should not. I've opened 0026385 to track this issue.

Issue History

Date Modified Username Field Change
2019-11-24 08:31 hanno New Issue
2019-11-25 07:33 dregad Assigned To => dregad
2019-11-25 07:33 dregad Status new => resolved
2019-11-25 07:33 dregad Resolution open => duplicate
2019-11-25 07:33 dregad Note Added: 0063138
2019-11-25 07:33 dregad Relationship added duplicate of 0026357
2019-11-25 07:34 dregad Relationship added related to 0026385
2019-12-09 15:04 atrol Status resolved => closed