Details
-
Bug
-
Resolution: Fixed
-
High
-
None
-
None
-
Severity 2 - Major
-
Description
Similar to JRASERVER-43422, the version of jQuery used (currently version 2.1.4) is vulnerable to jQuery issue 2432 (3rd party $.get() auto executes if content type is text/javascript) and 11974 (parseHTML executes inline scripts like event handlers). Actual exploitation / impact to Bitbucket Server depends upon if & how the vulnerable code paths are used.
On a related note, http://research.insecurelabs.org/jquery/test/ can be used to check jQuery versions for issues.
Attachments
Issue Links
- is related to
-
BAM-19990 The versions of jQuery and jQuery UI in use are vulnerable to several issues
- Closed
-
BSERV-10967 Update jQuery version bundled in Bitbucket.
- Closed
- relates to
-
JRASERVER-43422 Update the jQuery version used in Jira for better compatibility
- Closed
-
SECURITY-54 Loading...