Jan Stourac created WFLY-12345: ---------------------------------- Summary: Old versions of bootstrap and jquery with CVEs used in webconsole Key: WFLY-12345 URL: https://issues.jboss.org/browse/WFLY-12345 Project: WildFly Issue Type: Bug Components: Web Console Affects Versions: 17.0.1.Final Reporter: Jan Stourac Assignee: Harald Pehl There are some old javascript libraries included in 'externla.min.js' resource which is fetched for 'console/index.html': Out-­of-­date Version (Bootstrap) Identified Version {{3.3.7}} Latest Version {{3.4.1 (in this branch)}} ---- Known Vulnerabilities in this Version: * bootstrap.js Cross­Site Scripting (XSS) Vulnerability External References [CVE­2018­14040|https://nvd.nist.gov/vuln/detail/CVE-2018-14040] * bootstrap.js Cross­Site Scripting (XSS) Vulnerability External References [CVE­2018­14042|https://nvd.nist.gov/vuln/detail/CVE-2018-14042] * bootstrap.js Cross­Site Scripting (XSS) Vulnerability External References [CVE­2016­10735|https://nvd.nist.gov/vuln/detail/CVE-2016-10735] ---- jQuery v3.3.1, contains CVE - https://www.cvedetails.com/cve/CVE-2019-11358/ current version v3.4.1 ---- To be honest, I am not expert in this area, I have not deeply investigate these CVE thus it is possible that our Web Console is not affected by them and as such there is no urgent need to perform bootstrap or jQuery libraries update. Not sure though... -- This message was sent by Atlassian Jira (v7.12.1#712002)