Core: JQuery 1.2 < 3.5.0 XSS

Created on 30 May 2020  路  12Comments  路  Source: owncloud/core

Hello,
Please update jquery in OwnCloud:
./core/vendor/jquery/dist/jquery.min.js

Description
According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by a cross site scripting vulnerability.
Solution
Upgrade to JQuery version 3.5.0 or later.
See Also
https://nvd.nist.gov/vuln/detail/CVE-2020-11022

I check and in OwnCloud 10.4.1 there is old version in this directory: /core/vendor/jquery/dist/jquery.min.js.

Best Regards
TaKeN

picture takenek
👍1

Most helpful comment

Yes, that is the correct PR for the long term fix :smile:

picture mmattel on 28 Jun 2020
👍2

All 12 comments

Same problem in newlatest beta version:
https://download.owncloud.org/community/testing/owncloud-10.5.0beta2.tar.bz2

takenek picture takenek on 13 Jun 2020

@takenek https://raw.githubusercontent.com/owncloud/core/master/.github/issue_template.md

For reporting potential security issues please see https://owncloud.org/security/

Better ask by above?

ho4ho picture ho4ho on 22 Jun 2020

@micbar fyi

mmattel picture mmattel on 23 Jun 2020

Yes, that is the same issue.
https://github.com/owncloud/core/pull/37596#issuecomment-650571933

@micbar @mmattel Close?

ho4ho picture ho4ho on 27 Jun 2020

Form my pov, #37596 improves the situation but it is not updating jquery to the newest release...

mmattel picture mmattel on 27 Jun 2020

But XSS fixed by workaround?

To workaround the issue without upgrading, adding the following to your code:
https://github.com/advisories/GHSA-gxr4-xjj5-5px2

ho4ho picture ho4ho on 27 Jun 2020

@ho4ho

yes, the xss issue is fixed by the workaround.
As the name "workaround" says, ist is not a clean fix.
Either:

  • we close this issue because of the workaround and forget about any jquery upgrade
  • we keep it open and use it to upgrade to 3.5.1 (https://code.jquery.com)
  • or we close this one and create a new issue (refrencing to this issue) which is imho the cleanest path to go.

Including that between our really old jquery version and the current release of 3.5.1, a lot of additional fixes have been made...

@micbar, this is something you (or PM) have to decide

mmattel picture mmattel on 28 Jun 2020
👍1

Update outdated components (#36237)

JQuery 2.1.4

Update included by https://github.com/owncloud/core/pull/37340 ?

ho4ho picture ho4ho on 28 Jun 2020

Yes, that is the correct PR for the long term fix :smile:

mmattel picture mmattel on 28 Jun 2020
👍2

Yes, that is the correct PR for the long term fix 馃槃

It is not that easy unfortunately. Just udating jquery will create a lot of issues.
This would be a major change across the whole platform including all the apps.

micbar picture micbar on 28 Jun 2020
👍1

Q: Do we have this xss issue in apps too?

mmattel picture mmattel on 29 Jun 2020

Duplicate of https://github.com/owncloud/core/issues/36237

VicDeo picture VicDeo on 2 Jul 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

individual-it picture individual-it  路  3Comments
michaelstingl picture michaelstingl  路  3Comments
dpeger picture dpeger  路  3Comments
j-holub picture j-holub  路  3Comments
rehoehle picture rehoehle  路  4Comments