[JSWSERVER-20505] Security vulnerabilities exist in Javascript libraries used in Jira Software (8.8.0)

Type: Suggestion
Resolution: Fixed
Fix Version/s: 8.19.0
Component/s: Security
Labels:

UIS:
3
Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Google Cloud Platform Cloud Web Security Scanner tags two javascript libraries as being outdated and potentially vulnerable:

jquery 2.2.4

More information at

tinyMCE 4.6.4

More information at

https://www.tinymce.com/docs/changelog/

relates to

JRASERVER-67820 Security vulnerabilities exist in Javascript libraries used in Jira Server (7.11.2)

Gathering Interest

JRASERVER-72052 Update jQuery to avoid CVE-2020-11022 and CVE-2020-11023

Published

mentioned in: Page Failed to load

Form Name

Chris Leiter added a comment - 29/Nov/2021 11:13 AM

JQuery 2.2.4 has the following CVEs:

– CVE-2015-9251
– CVE-2015-9251
– CVE-2019-11358
– CVE-2020-11022
– CVE-2020-11023

and Jira Server 8.20.2 still uses this version, which is a blocking point for us. Any plans to update JQuery?

Thanks and regards,

Chris Leiter added a comment - 29/Nov/2021 11:13 AM JQuery 2.2.4 has the following CVEs: – CVE-2015-9251 – CVE-2015-9251 – CVE-2019-11358 – CVE-2020-11022 – CVE-2020-11023 and Jira Server 8.20.2 still uses this version, which is a blocking point for us. Any plans to update JQuery? Thanks and regards,

Sergey added a comment - 14/Sep/2021 4:10 AM

Tinymce is updated to version 5.8.0 as of JIRA 8.19+

Sergey added a comment - 14/Sep/2021 4:10 AM Tinymce is updated to version 5.8.0 as of JIRA 8.19+

Miryam Duella added a comment - 28/Jul/2021 1:06 PM

A vulnerability assessment held on Jira Server 8.13.5 (in June 2021) has raised the following issue:

The web application is using a JavaScript library that is known to contain at least one vulnerability (Vulnerable javascript library: TinyMCE version: 4.6.4).

When are you planning to solve this security issue?

Thanks, Best Regards

Miryam Duella added a comment - 28/Jul/2021 1:06 PM A vulnerability assessment held on Jira Server 8.13.5 (in June 2021) has raised the following issue: The web application is using a JavaScript library that is known to contain at least one vulnerability (Vulnerable javascript library: TinyMCE version: 4.6.4). When are you planning to solve this security issue? Thanks, Best Regards

Assignee:: Unassigned

Reporter:: Brian Dye

Votes:: 18 Vote for this issue

Watchers:: 21 Start watching this issue

Created:: 13/Apr/2020 11:17 PM

Updated:: 26/Feb/2025 5:04 PM

Resolved:: 26/Feb/2025 3:20 PM

Details

Description

jquery 2.2.4

tinyMCE 4.6.4

Attachments

Issue Links

Forms

Activity

Collapse comment: Chris Leiter added a comment - 29/Nov/2021 11:13 AM

Expand comment: Chris Leiter added a comment - 29/Nov/2021 11:13 AM

Collapse comment: Sergey added a comment - 14/Sep/2021 4:10 AM

Expand comment: Sergey added a comment - 14/Sep/2021 4:10 AM

Collapse comment: Miryam Duella added a comment - 28/Jul/2021 1:06 PM

Expand comment: Miryam Duella added a comment - 28/Jul/2021 1:06 PM

People

Dates

Backbone Issue Sync