Opened 4 weeks ago

Last modified 4 weeks ago

#15353 new bug

Security bug reported with jquery ui 1.12

Reported by: Scott Dickerson Owned by:
Priority: minor Milestone: none
Component: ui.core Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:

Description (last modified by Ryan J Ollos)

A flagged security exposure by our security scan tool

/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

This is due to your packaged version of jquery

Issue   1   of   2
Issue ID:	2df3ae9d-a1bc-e911-ac11-002590ac753d
Severity:	Medium
Status	New
Classification	Definitive
Location	/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Availability Impact	Partial
Confidentiality Impact	Partial
Integrity Impact	Partial
Date Created	Monday, August 12, 2019
Last Updated	Monday, August 12, 2019
CVE	2015-9251
File:	
/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Name:	CVE-2015-9251
Description:	jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Resolution:	Upgrade To Version 3.0.0
URL:	
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
Issue   1   of   2   - Details
None
Issue   2   of   2
Issue ID:	2ef3ae9d-a1bc-e911-ac11-002590ac753d
Severity:	Medium
Status	New
Classification	Definitive
Location	/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Availability Impact	Partial
Confidentiality Impact	Partial
Integrity Impact	Partial
Date Created	Monday, August 12, 2019
Last Updated	Monday, August 12, 2019
CVE	2019-11358
File:	
/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Name:	CVE-2019-11358
Description:	jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Resolution:	Upgrade To Version 3.4.0
URL:	
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Change History (1)

comment:1 Changed 4 weeks ago by Ryan J Ollos

Description: modified (diff)
Note: See TracTickets for help on using tickets.