View Issue Details

IDProjectCategoryView StatusLast Update
0034416mantisbtsecuritypublic2024-05-11 17:23
ReporterMickoloh Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionduplicate 
PlatformLinuxOSRedHat Enterprise LinuxOS Version9.3
Product Version2.26.1 
Summary0034416: NESSUS reports vuln for jquery and typahead
Description

Our Nessus scanner reports the following vulnerabilities:

jquery is version 2.2.4, should be 3.5.0+
typeahead.js is 1.3.0, should be 3.5.0+

Related:
CVE-2020-11022
CVE-2020-11023

Thanks!

Additional Information

From ./library/README.md:

MantisBT external libraries

This directory contains a copy the 3rd-party libraries used by MantisBT.

The version and status of each is summarized below:

----snip---

library / plugin version status
jquery 2.2.4 unpatched

----snip---

| typeahead.js | 1.3.0 | unpatched |

TagsNo tags attached.
Attached Files
mantis-jquery-typeahead.png (18,914 bytes)   
mantis-jquery-typeahead.png (18,914 bytes)   

Relationships

duplicate of 0026357 acknowledged Vulnerability from library JQuery 2.2.4 
related to 0034417 closeddregad Update corejs-typeahead.js library to 1.3.4 

Activities

dregad

dregad

2024-04-23 10:47

developer   ~0068860

Last edited: 2024-04-23 10:48

Thanks for the report.

With regards to the jQuery vulnerability, this is a known issue that has already been reported to us several times (see 0026357). Unfortunately, we are currently on the latest available 2.x release, which is no longer receiving patches.

Considering the number of breaking changes introduced by version 3.x, upgrading is not a small undertaking, and would require extensive testing to ensure full compatibility; sadly we do not have the bandwidth for taking this on at the moment. Contributions are welcome.

typeahead.js is 1.3.0, should be 3.5.0+

According to https://github.com/corejavascript/typeahead.js/releases, the latest available release is 1.3.4, not sure where you are getting the 3.5.0+ reference from.

The changelog does not mention any specific vulnerabilities fixed between 1.3.0 and 1.3.4, although the 1.3.1 release includes updates of numerous npm dependencies to resolve vulnerability warnings.

Follow-up in 0034417 for upgrade to 1.3.4.

Mickoloh

Mickoloh

2024-04-23 11:01

reporter   ~0068861

Hi!

The 3.5.0+ was what Nessus indicated as the version in which the vulnerability was fixed - sorry about that!

I'll definitely check out the 1.3.4 upgrade documentation.

Thank you!