Security Dependency Update Bootstrap to 3.4.1 in Nextcloud 24.0.4

[stondino00]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Nessus scan showing old bootstrap version. Actually looks like 3.x is end of life as well. Should be updated to 5.x asap it appears.

https://endoflife.date/bootstrap

Steps to reproduce

Scan with nessus OR go to this url on your nextcloud instance and search for Bootstrap.

https:///dist/core-common.js

Expected behavior

Showing newer version when searching for bootstrap.

Installation method

Official SNAP package

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

No response

Are you using the Nextcloud Server Encryption module?

No response

What user-backends are you using?

• [ ] Default user-backend (database)
• [X] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

No response

List of activated Apps

Enabled:
  - activity: 2.16.0
  - admin_audit: 1.14.0
  - circles: 24.0.0
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - documentserver_community: 0.1.12
  - external: 4.0.0
  - federatedfilesharing: 1.14.0
  - files: 1.19.0
  - files_accesscontrol: 1.14.0
  - files_antivirus: 3.3.1
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - forms: 2.5.1
  - groupfolders: 12.0.1
  - guests: 2.2.0
  - impersonate: 1.11.0
  - keeweb: 0.6.9
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - nextcloud_announcements: 1.13.0
  - notes: 4.4.0
  - notifications: 2.12.0
  - oauth2: 1.12.0
  - onlyoffice: 7.5.4
  - password_policy: 1.14.0
  - passwords: 2022.6.20
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - ransomware_protection: 1.13.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - socialsharing_email: 2.5.0
  - spreed: 14.0.3
  - systemtags: 1.14.0
  - tasks: 0.14.4
  - text: 3.5.1
  - twofactor_backupcodes: 1.13.0
  - twofactor_email: 2.5.0
  - twofactor_nextcloud_notification: 3.4.0
  - twofactor_totp: 6.4.0
  - twofactor_webauthn: 0.3.1
  - user_ldap: 1.14.1
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflowengine: 2.6.0
Disabled:
  - accessibility: 1.8.0
  - encryption
  - federation: 1.11.0
  - files_external: 1.7.0
  - firstrunwizard: 2.10.0
  - photos: 1.1.0
  - support: 1.4.0
  - survey_client: 1.9.0
  - theming: 1.13.0

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[stondino00]

How do I get someone to review this?

[szaimen]

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

[d-sko]

Hi, same here with Nextcloud 25.0.4. A recent security audit of our external perimeter states that bootstrap 3.3.5 is used and refers to https://[domain]/dist/core-common.js. A quick search for "bootstrap v3.3.5" in this file returned 24 results.

[nickvergessen]

That's not the case anymore. It's just a bad copyright comment that was copied over.

https://github.com/nextcloud/server/pull/35485

Also backported to 25.0.4 https://github.com/nextcloud/server/pull/36273

24 might still show this false interpretation, but it's okay to ignore. Shipped bootstrap version is 4.6.2 https://github.com/nextcloud/server/blob/stable24/package.json#L51

[d-sko]

Thanks for the clarification, good to know that this is only a bad comment! But https://raw.githubusercontent.com/nextcloud/server/stable25/dist/core-common.js still has those comments, shouldn't they be gone there as well with those two PRs you mentioned?

[stondino00]

Still seeing this copyright issue in 25.0.7

https:///dist/core-common.js

[n-connect]

Hi,

In v26.02 it is still an issue, the source still has it: https://raw.githubusercontent.com/nextcloud/server/stable26/dist/core-common.js. I guesss this affects the Nextcloud shipped apps by default too, below are some I've encountered from 1-7. Az point 8. is a different JS, which is actually really there : also outdated & vulnerable

By using the Nextcloud Files

1. In dist: /dist/core-common.js

2. Activity (v2.18.0): /apps/activity/js/activity-323.js

3. Checksum (v1.2.1): /apps/activity/js/activity-323.js

4. Electronic signatures (2.0.4): /apps/electronicsignatures/js/electronic-signatures-fileActions.js

5. Group folders (v14.0.2): /apps/groupfolders/js/groupfolders-vendors-node_modules_nextcloud_vue-richtext_dist_index_js-node_modules_nextcloud_vue_dist_Com-ae25e2.js

6. [Built-in] Viewer (v1.10.0): /apps/viewer/js/viewer-main.js6.

7. By loading Photos /apps/photos/js/photos-main.js

8. By loading Talk /apps/deck/js/deck-reference.js & /apps/deck/js/deck-talk.js 9.

9. A different but also vulnerable one - jszip.js in Mind Map (0.0.28): /apps/files_mindmap/js/jszip.js

[magikmw]

I've considered opening a new issue for this, since above comments seem to not get any traction. The issue persists on v26.0.4, and still trips up security scanners - especially bad, since v26+ seems to have dropped bootstrap altogether as a dependency. I detest pinging, but seem to have no choice - @nickvergessen please consider reopening the issue?

[nickvergessen]

Then maybe it is another app you use that embeds it itself.

Please post a new detailed scanner report so we can judge it

[magikmw]

Alright, as I understand core-common.js is re-generated when apps are added/removed?

I've done a grep -R -o -n "Bootstrap v3.3.5" apps/ in my instance's apps folder, and it appears those still have the strings inside their *.js files.

calendar
deck
groupfolders
recommendations
richdocuments
privacy
photos
activity
firstrunwizard
viewer

Not all of those apps are active, and all are 'Featured' in the App menu.

[joshtrichards]

https://github.com/nextcloud-libraries/nextcloud-vue/pull/3979