search

GluuFederation / gluu-core-bom

POM which contains dependencies for sharing across different projects that are using maven.
MIT License
2 stars 1 forks source link

Update jQuery and Bootstrap for oxTrust #38

Open mzico opened 10 months ago

mzico commented 10 months ago

Tested in Gluu Server 4.5.2

Recommended Version : jQuery UI 1.13.2 or above 

Recommended Version : Bootstrap 4.1.2 or above

Jquery Observation :

Vulnerable javascript library: jQuery.ui.dialog version: 1.12.1 script uri: https://host1.host.com/oxauth/js/jquery-ui.min.js

Details: CVE-2021-41182 : jQuery-UI versions before 1.13.0 are vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/) for latest security updates.

CVE-2021-41183 : jQuery-UI versions before 1.13.0 are vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/) for latest security updates.

CVE-2021-41184 : jQuery-UI versions before 1.13.0 are vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/) for latest security updates.

CVE-2022-31160 : jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling ".checkboxradio( "refresh" )" on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the "label" in a "span".

Found on the following pages (only first 10 pages are reported): https://[hostname]/oxauth/error.htm

For Bootstrap

Vulnerable javascript library: Bootstrap
version: 4.0.0
script uri: https://host1.host.com/oxauth/js/bootstrap.min.js

Details:
CVE-2018-14041: The data-target property of scrollspy in bootstrap versions on or above 4.0.0-alpha and before 4.1.2 are vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (https://github.com/twbs/bootstrap/issues/20184) for the latest security updates.

----------------------------------------------

CVE-2018-14040: Bootstrap versions on or above 4.0.0-alpha and before 4.1.2 are vulnerable to Cross-Site Scripting(XSS) in collapse data-parent attribute. Please refer to vendor documentation (https://github.com/twbs/bootstrap/issues/20184) for latest security updates.

----------------------------------------------

CVE-2018-14042: Bootstrap versions on or above 4.0.0-alpha and before 4.1.2 are vulnerable to Cross-Site Scripting(XSS) in data-container property of tooltip. Please refer to vendor documentation (https://github.com/twbs/bootstrap/issues/20184) for latest security updates.

Found on the following pages (only first 10 pages are reported):
https://host1.host/oxauth/authorize.htm?scope=openid+provider+csr&acr_values=basic_lock&response_type=id_token+token&redirect_uri=https%3A%2F%2Fhost1.host.com%2Ftzf%2Fprovider%2Fuiprovider%2Fauth.html&state=d8aa3db0ddcd415f8a1a39e9abba659e&nonce=c06c4b4d84cb4552b5b1a1b04c731ae3&client_id=%40%212015.B875.C51F.FD23%210001%21F878.9F9E%210008%21D683.012B.E766.D8BE

https://host1.host.com/oxauth/authorize.htm?scope=openid%2Bprovider%2Bcsr&acr_values=basic_lock&response_type=id_token%2Btoken&redirect_uri=https%3A%2F%2Fhost1.host.com%2Ftzf%2Fprovider%2Fuiprovider%2Fauth.html&state=d8aa3db0ddcd415f8a1a39e9abba659e&nonce=c06c4b4d84cb4552b5b1a1b04c731ae3&client_id=%40%212015.B875.C51F.FD23%210001%21F878.9F9E%210008%21D683.012B.E766.D8BE

https://host1.host.com/oxauth/error_service.htm

https://host1.host.com/oxauth/authorize.htm?scope=openid+provider+csr&acr_values=basic_lock&response_type=id_token+token&redirect_uri=https%3A%2F%2Fhost1.host.com%2Ftzf%2Fprovider%2Fuiprovider%2Fauth.html&state=bd4f922efab649f780ae58997e9406ff&nonce=0959a6a623c64997aa2c812e9c9c8af5&client_id=%40%212015.B875.C51F.FD23%210001%21F878.9F9E%210008%21D683.012B.E766.D8BE

https://host1.host.com/oxauth/authorize.htm?scope=openid%2Bprovider%2Bcsr&acr_values=basic_lock&response_type=id_token%2Btoken&redirect_uri=https%3A%2F%2Fhost1.host.com%2Ftzf%2Fprovider%2Fuiprovider%2Fauth.html&state=bd4f922efab649f780ae58997e9406ff&nonce=0959a6a623c64997aa2c812e9c9c8af5&client_id=%40%212015.B875.C51F.FD23%210001%21F878.9F9E%210008%21D683.012B.E766.D8BE

https://host1.host.com/oxauth/authorize.htm?scope=openid+provider+csr&acr_values=basic_lock&response_type=id_token+token&redirect_uri=https%3A%2F%2Fhost1.host.com%2Ftzf%2Fprovider%2Fuiprovider%2Fauth.html&state=30afe795c0704cefac1b4f4bbaadf021&nonce=50b1eb86d23844f6826da4db450dd5d0&client_id=%40%212015.B875.C51F.FD23%210001%21F878.9F9E%210008%21D683.012B.E766.D8BE

https://host1.host.com/oxauth/authorize.htm?scope=openid%2Bprofile%2Bemail%2Buser_name&acr_values=simple_password_auth&response_type=code&redirect_uri=https%3A%2F%2Fhost1.host.com%2Fidentity%2Fauthcode.htm&state=02235cfa-2303-49d2-a9be-30b36a25213a&nonce=0ea59675-63da-45da-81ce-a93f5479bfb1&client_id=%40%212015.B875.C51F.FD23%210001%21F878.9F9E%210008%21FDF9.7FFF

https://host1.host.com/oxauth/authorize.htm?scope=openid+profile+email+user_name&acr_values=simple_password_auth&response_type=code&redirect_uri=https%3A%2F%2Fhost1.host.com%2Fidentity%2Fauthcode.htm&state=02235cfa-2303-49d2-a9be-30b36a25213a&nonce=0ea59675-63da-45da-81ce-a93f5479bfb1&client_id=%40%212015.B875.C51F.FD23%210001%21F878.9F9E%210008%21FDF9.7FFF

https://host1.host.com/oxauth/authorize.htm?scope=openid+provider+csr&acr_values=basic_lock&response_type=id_token+token&redirect_uri=https%3A%2F%2Fhost1.host.com%2Ftzf%2Fprovider%2Fuiprovider%2Fauth.html&state=3dc8d911094d40e0bd9c926bb328d641&nonce=cc5af89478ea4ba68bd47322d270555b&client_id=%40%212015.B875.C51F.FD23%210001%21F878.9F9E%210008%21D683.012B.E766.D8BE

https://host1.host.com/oxauth/authorize.htm?scope=openid+provider+csr&acr_values=basic_lock&response_type=id_token+token&redirect_uri=https%3A%2F%2Fhost1.host.com%2Ftzf%2Fprovider%2Fuiprovider%2Fauth.html&state=cc4729478e2c4219a170c32a30ed318b&nonce=3d4e176f32764301a58f72c95ae5fd5b&client_id=%40%212015.B875.C51F.FD23%210001%21F878.9F9E%210008%21D683.012B.E766.D8BE

Recommended Version : jQuery UI 1.13.2

yurem commented 10 months ago

We need to fix it in 4.5.3

senthilkumardhanapal2 commented 10 months ago

@yurem

one more on this RichFaces

Recommended Version : RichFaces 4.5.17

`RichFaces project had reached EOL in 2016, so no patch will be provided by vendor. It is recommended not to use RichFaces.

A vulnerable version of the RichFaces framework was identified. The RichFaces project is an advanced UI component framework for integrating AJAX capabilities into web applications using JSF. Various versions of RichFaces suffer from multiple remote code injection vulnerabilities as listed below. CVE-2018-12532: JBoss RichFaces via a MediaOutputResource's resource request, aka RF-14309 CVE-2018-12533: JBoss RichFaces via a /DATA/ substring in a path, aka RF-14310 CVE-2018-14667: JBoss RichFaces using UserResource$UriData CVE-2015-0279: JBoss RichFaces 'do' Parameter Remote Code Execution Vulnerability CVE-2013-2165: JBoss RichFaces CVE-2013-2165 Remote Code Execution Vulnerability RF-14309: Arbitrary EL Evaluation in RichFaces 4.5.3 through 4.5.17 RF-14310: Arbitrary EL Evaluation in RichFaces 3.x through 3.3.4

Affected Versions: All RichFaces 3.x, 4.x versions (including the latest vesions 3.3.4, 4.5.17) are vulnerable to remote code execution. List of security issues in various RichFaces versions: RichFaces 3: 3.1.0 through 3.3.3: CVE-2013-2165 3.1.0 through 3.3.4: RF-14310/CVE-2018-12533, CVE-2018-14667

RichFaces 4: 4.0.0 through 4.3.2: CVE-2013-2165 4.0.0 through 4.5.4: CVE-2015-0279 4.5.3 through 4.5.17: RF-14309/CVE-2018-12532

More information: https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html

Note: This QID detects the use of RichFaces by checking for the presence of a client-side RichFaces JavaScript library. Impact Successful exploitation allows unauthenticated, remote attackers to execute arbitrary code within the context of the application. Solution RichFaces is end of life since 2016, so no patch will be provided by vendor. It is recommended not to use RichFaces.

Upgrade to RichFaces 3.3.4. Final or RichFaces 4.5.17 would remediate CVE-2013-2165 and CVE-2015-0279. There are no known fixes or patches available from vendor for RF-14309 or RF-14310**.

Ref: https://developer.jboss.org/docs/DOC-55384 Workaround: For suggestions on how to fix the issue, please refer https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html https://liferay.dev/blogs/-/blogs/mitigating-richfaces-4-5-17-final-eol-vulnerabilities`

@nynymike @mzico

shekhar16 commented 10 months ago

@senthilkumardhanapal2 @yurem
In 4.5.3, we already using jquery-ui-1.13.2.min.js and RichFaces 4.5.19 (which is higher version than 4.5.17)