[jboss-jira] [JBoss JIRA] (WFLY-12345) Old versions of bootstrap and jquery with CVEs used in webconsole

[Jan Stourac (Jira)]

Jan Stourac created WFLY-12345:
----------------------------------

             Summary: Old versions of bootstrap and jquery with CVEs used in webconsole
                 Key: WFLY-12345
                 URL: https://issues.jboss.org/browse/WFLY-12345
             Project: WildFly
          Issue Type: Bug
          Components: Web Console
    Affects Versions: 17.0.1.Final
            Reporter: Jan Stourac
            Assignee: Harald Pehl


There are some old javascript libraries included in 'externla.min.js' resource which is fetched for 'console/index.html':

Out-­of-­date Version (Bootstrap)
Identified Version
{{3.3.7}}
Latest Version
{{3.4.1 (in this branch)}}
----
Known Vulnerabilities in this Version:

* bootstrap.js Cross­Site Scripting (XSS) Vulnerability
External References
[CVE­2018­14040|https://nvd.nist.gov/vuln/detail/CVE-2018-14040]
* bootstrap.js Cross­Site Scripting (XSS) Vulnerability
External References
[CVE­2018­14042|https://nvd.nist.gov/vuln/detail/CVE-2018-14042]
* bootstrap.js Cross­Site Scripting (XSS) Vulnerability
External References
[CVE­2016­10735|https://nvd.nist.gov/vuln/detail/CVE-2016-10735]

----
jQuery v3.3.1, contains CVE - https://www.cvedetails.com/cve/CVE-2019-11358/
current version v3.4.1

----

To be honest, I am not expert in this area, I have not deeply investigate these CVE thus it is possible that our Web Console is not affected by them and as such there is no urgent need to perform bootstrap or jQuery libraries update. Not sure though...



--
This message was sent by Atlassian Jira
(v7.12.1#712002)