Description of problem:
One finding we had is that the current version of Bootstrap is v3.3.5 which is known to have some exploits.
Is there a way to use the latest Bootstrap v.4.x instead?
Version-Release number of selected component (if applicable):
Here is the related CVE for Bootstrap 3.3.x:
Our evaluation is that this is NOT exploitable in OpenShift console as we do not put unknown content into a `data-target` attribute. Regardless, we plan to update to Bootstrap to 3.4.0 in OpenShift 3.11.z, which has a fix for the CVE in Bootstrap:
PR to resolve: https://github.com/openshift/origin-web-console/pull/3105
OpenShift Web Console:
Tested on ocp 3.11 env with above version, checked in <server>/console/styles/main.css, it indicates bootstrap with version v3.4.0 now.
* Bootstrap v3.4.0 (https://getbootstrap.com/)
* Copyright 2011-2018 Twitter, Inc.
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
I think the bug has been fixed, move it to Verified. If there is something wrong, pls point out, thanks!
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.