Bug 1406096 - Vulnerable JQuery Version
Summary: Vulnerable JQuery Version
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Security
Version: 5.6.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: GA
: 5.8.0
Assignee: Josh Langholtz
QA Contact: Jan Krocil
URL:
Whiteboard:
Depends On:
Blocks: 1428944
TreeView+ depends on / blocked
 
Reported: 2016-12-19 17:25 UTC by Jared Deubel
Modified: 2020-09-10 10:03 UTC (History)
8 users (show)

Fixed In Version: 5.8.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1428944 (view as bug list)
Environment:
Last Closed: 2017-06-12 17:06:11 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jared Deubel 2016-12-19 17:25:49 UTC 
Description of problem:
The current version of jquery in CloudForms 5.6 is v2.1.4, since there are known vulnerabilities in the product, what are the implications of updating this? Is this in the roadmap to update the version in the future? 
                                                                                           					
The jQuery library used by the application is v2.1.4, which has known vulnerabilities.					
"Hosts:
https:// xaasportal.cbts.ne/assets/application-9e4f8c715b2a7ec8a901ca972cc0962c.js"					
Recommendation: Upgrade to the newest version of JQuery.					

Version-Release number of selected component (if applicable):
5.6
Comment 2 Chris Kacerguis 2016-12-19 19:16:50 UTC 
Tracking this for the SUI here: https://www.pivotaltracker.com/story/show/136378431
Comment 3 Chris Kacerguis 2016-12-19 21:59:08 UTC 
Updated SUI master branch with latest version of jQuery.  See PR: https://github.com/ManageIQ/manageiq-ui-service/pull/400
Comment 4 Chris Kacerguis 2016-12-19 23:28:33 UTC 
Euwe PR here: https://github.com/ManageIQ/manageiq-ui-service/pull/401
Comment 6 CFME Bot 2017-04-07 22:03:25 UTC 
New commit detected on ManageIQ/manageiq-ui-classic/fine:
https://github.com/ManageIQ/manageiq-ui-classic/commit/e85a4d1e897e144f4c8a494c1e7fb012fa12e1c9

commit e85a4d1e897e144f4c8a494c1e7fb012fa12e1c9
Author:     Martin Povolny <mpovolny>
AuthorDate: Fri Apr 7 14:56:25 2017 +0200
Commit:     Satoe Imaishi <simaishi>
CommitDate: Fri Apr 7 17:58:21 2017 -0400

    Merge pull request #957 from himdel/jquery22
    
    Upgrade jQuery to ~2.2.4
    (cherry picked from commit dceceb8a4bf445a8bb5cecddbd74df8727673e20)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1406096

 bower.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 7 CFME Bot 2017-04-07 22:06:13 UTC 
New commit detected on ManageIQ/manageiq/fine:
https://github.com/ManageIQ/manageiq/commit/76b95d908dc73bf5ffb850b087ec295e080d5ea4

commit 76b95d908dc73bf5ffb850b087ec295e080d5ea4
Author:     Martin Povolny <mpovolny>
AuthorDate: Fri Apr 7 14:56:25 2017 +0200
Commit:     Satoe Imaishi <simaishi>
CommitDate: Fri Apr 7 18:02:46 2017 -0400

    Merge pull request #957 from himdel/jquery22
    
    Upgrade jQuery to ~2.2.4
    (cherry picked from commit dceceb8a4bf445a8bb5cecddbd74df8727673e20)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1406096

 bower.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 8 Jan Krocil 2017-05-02 15:22:47 UTC 
Self Service UI is on jQuery 3.2.1 and regular UI is on jQuery 2.2.4.

Verified in 5.8.0.12-rc1.20170425180304_4f35996.
Note You need to log in before you can comment on or make changes to this bug.