Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
21
-
Description
Issue Summary
Currently, Jira is using a custom jQuery version where we keep track of the jQuery critical BUGs and continually release the fixes by cherry-picking the commits from the JQuery fixed versions to our forked version of jQuery 2. For instance, some jQuery versions have medium to critical security vulnerabilities and these were addressed in Jira in the following issues:
https://jira.atlassian.com/browse/JRASERVER-69725
https://jira.atlassian.com/browse/JRASERVER-71139
https://jira.atlassian.com/browse/JRASERVER-70929
However, not all users are aware of these custom fixes and some security tools report false vulnerabilities for the current jQuery version used by Jira by comparing it to the desired fixed version.
Even though we include the details for each vulnerability fix in our security advisories, it'd be good if we can have a public document where we keep track of all the critical fixes that we are continuously patching in Jira. In this way, it would be easier for the customers to confirm that they are protected against these vulnerabilities.
Attachments
Issue Links
- is related to
-
JRASERVER-69725 Update jQuery to address CVE-2019-11358
-
- Closed
-