[BAM-19990] The versions of jQuery and jQuery UI in use are vulnerable to several issues

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 6.10.2
Affects Version/s: None
Component/s: User Interface
Labels:

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Similar to ~~JRASERVER-43422~~, the version of jQuery used (currently version 1.10.2) is vulnerable to jQuery issue 2432 (3rd party $.get() auto executes if content type is text/javascript) and 11974 (parseHTML executes inline scripts like event handlers). Additionally, the version of jQuery UI in use (1.8.24) is vulnerable to CVE-2010-5312 and an attacker can exploit this issue if they are able to provide values to "title" of a jQuery ui dialogue. Actual exploitation / impact to Bamboo depends upon if & how the vulnerable code paths are used.

On a related note, http://research.insecurelabs.org/jquery/test/ can be used to check jQuery versions for issues.

relates to

BSERV-10873 The version of jQuery in use is vulnerable to several issues

Closed

JRASERVER-43422 Update the jQuery version used in Jira for better compatibility

Closed

AUI-4419 Loading...

UPM-6007 Loading...

mentioned in: Page Failed to load; Page Loading...; Page Loading...

was cloned as: BDEV-15347 Loading...

Wiki Page: Wiki Page Loading...

(2 mentioned in, 1 was cloned as, 1 Wiki Page)

No work has yet been logged on this issue.

Assignee:: Victor Debone

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 8 Start watching this issue

Created:: 18/Jul/2018 2:54 AM

Updated:: 21/Nov/2022 2:29 PM

Resolved:: 12/Jul/2019 2:07 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates