search

NagiosEnterprises / nagioscore

Nagios Core
GNU General Public License v2.0
1.48k stars 440 forks source link

Nagios Core vulnerabilties #960

Open izzybell7 opened 1 month ago

izzybell7 commented 1 month ago

Hello,
My team has Nagios Core 4.4.13 deployed on rhel 8 servers.
Mend OpenSource scanning has detected vulnerabilities for jquery-1.12.4.min.js and angular-1.3.9.min.js.

We are considering upgrade to Nagios 4.5.2, but based on the code in github, Nagios Core 4.5.2 includes the same vulnerable versions of angular and jquery.

CVEdetails does not list any vulnerabilities for Nagios Core 4.4.13. Have the vulnerabilities been identified as no risk to Nagios Core? Will upgrade to 4.5.2 resolve the concerns?

Thank you !

Here is CVE detail : angular-1.3.9.min.js CVE-2019-10768 angular-1.3.9.min.js CVE-2019-14863 angular-1.3.9.min.js CVE-2020-7676 angular-1.3.9.min.js CVE-2022-25869 angular-1.3.9.min.js CVE-2023-26116 angular-1.3.9.min.js CVE-2023-26117 angular-1.3.9.min.js CVE-2023-26118 jquery-1.12.4.min.js CVE-2015-9251 jquery-1.12.4.min.js CVE-2019-11358 jquery-1.12.4.min.js CVE-2020-11022 jquery-1.12.4.min.js CVE-2020-11023

sawolf commented 1 month ago

Hi @izzybell7 - thanks for bringing this to our attention, I've been meaning to have us handle these for awhile. We will definitely have jQuery updated to version 3.7.1 for 4.5.3. angular will be a little more complicated, but we'll see what we can do.