-
Bug
-
Resolution: Fixed
-
Low
-
None
-
1
-
Severity 3 - Minor
-
Similar to JRASERVER-43422, the version of jQuery used (currently version 1.10.2) is vulnerable to jQuery issue 2432 (3rd party $.get() auto executes if content type is text/javascript) and 11974 (parseHTML executes inline scripts like event handlers). Additionally, the version of jQuery UI in use (1.8.24) is vulnerable to CVE-2010-5312 and an attacker can exploit this issue if they are able to provide values to "title" of a jQuery ui dialogue. Actual exploitation / impact to Bamboo depends upon if & how the vulnerable code paths are used.
On a related note, http://research.insecurelabs.org/jquery/test/ can be used to check jQuery versions for issues.
- relates to
-
-
- Closed
-
-
JRASERVER-43422 Update the jQuery version used in Jira for better compatibility
- Closed
-
AUI-4419 Loading...
-
- was cloned as
-
- Wiki Page
-
[BAM-19990] The versions of jQuery and jQuery UI in use are vulnerable to several issues
| Link | New: This issue depended on by BAM-21798 [ BAM-21798 ] |
| Fix Version/s | New: 6.10.2 [ 89592 ] | |
| Fix Version/s | Original: 6.10.0 [ 86205 ] |
| Workflow | Original: Bamboo Workflow 2016 v1 - Restricted [ 2745853 ] | New: JAC Bug Workflow v3 [ 3386125 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Fix Version/s | New: 6.10.0 [ 86205 ] | |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: In Progress [ 3 ] | New: Resolved [ 5 ] |
| Remote Link | New: This issue links to "UPM-6007 (Ecosystem JIRA)" [ 436694 ] |
| Assignee | Original: Pawel Skierczynski [ pskierczynski ] | New: Victor Debone [ vdebone ] |
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
| Assignee | New: Pawel Skierczynski [ pskierczynski ] |
| Comment | [ test mention: [~vdebone] ] |
| Remote Link | New: This issue links to "BDEV-15347 (Hello Jira)" [ 425537 ] |