jquery-1.9.1.js: 4 vulnerabilities (highest severity is: 6.9) - autoclosed

[ibm-mend-app]

Vulnerable Library - jquery-1.9.1.js

An open source front-end implementation that help you quickly construct modern multi-screen applications

Library home page: https://cdnjs.cloudflare.com/ajax/libs/zui/1.9.1/lib/jquery/jquery.js

Path to dependency file: /docs/images/PathExpressionLexer/index.html

Path to vulnerable library: /docs/images/PathExpressionLexer/index.html

Found in HEAD commit: 2f9c45732966e371e172d466f8fd082d8797adbb

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (jquery version)	Remediation Possible**
CVE-2020-11023	Medium	6.9	jquery-1.9.1.js	Direct	All Cacti users should upgrade to the latest version # emerge --sync

emerge --ask --oneshot --verbose >=net-analyzer/cacti-1.2.13

All Cacti Spine users should upgrade to the latest version # emerge --sync

emerge --ask --oneshot --verbose >=net-analyzer/cacti-spine-1.2.13 >= | ❌ |

| CVE-2020-11022 | Medium | 6.9 | jquery-1.9.1.js | Direct | All Cacti users should upgrade to the latest version # emerge --sync

emerge --ask --oneshot --verbose >=net-analyzer/cacti-1.2.13

All Cacti Spine users should upgrade to the latest version # emerge --sync

emerge --ask --oneshot --verbose >=net-analyzer/cacti-spine-1.2.13 >= | ❌ |

| CVE-2019-11358 | Medium | 6.1 | jquery-1.9.1.js | Direct | Replace or update the following files: core.js, core.js | ❌ |
| CVE-2015-9251 | Medium | 6.1 | jquery-1.9.1.js | Direct | Replace or update the following files: script.js, ajax.js, ajax.js | ❌ |

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-11023

Vulnerable Library - jquery-1.9.1.js

An open source front-end implementation that help you quickly construct modern multi-screen applications

Library home page: https://cdnjs.cloudflare.com/ajax/libs/zui/1.9.1/lib/jquery/jquery.js

Path to dependency file: /docs/images/PathExpressionLexer/index.html

Path to vulnerable library: /docs/images/PathExpressionLexer/index.html

Dependency Hierarchy:

• ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 2f9c45732966e371e172d466f8fd082d8797adbb

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/202007-03

Fix Resolution: All Cacti users should upgrade to the latest version # emerge --sync # emerge --ask --oneshot --verbose >=net-analyzer/cacti-1.2.13 All Cacti Spine users should upgrade to the latest version # emerge --sync # emerge --ask --oneshot --verbose >=net-analyzer/cacti-spine-1.2.13 >=

CVE-2020-11022

Vulnerable Library - jquery-1.9.1.js

An open source front-end implementation that help you quickly construct modern multi-screen applications

Library home page: https://cdnjs.cloudflare.com/ajax/libs/zui/1.9.1/lib/jquery/jquery.js

Path to dependency file: /docs/images/PathExpressionLexer/index.html

Path to vulnerable library: /docs/images/PathExpressionLexer/index.html

Dependency Hierarchy:

• ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 2f9c45732966e371e172d466f8fd082d8797adbb

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/202007-03

Fix Resolution: All Cacti users should upgrade to the latest version # emerge --sync # emerge --ask --oneshot --verbose >=net-analyzer/cacti-1.2.13 All Cacti Spine users should upgrade to the latest version # emerge --sync # emerge --ask --oneshot --verbose >=net-analyzer/cacti-spine-1.2.13 >=

CVE-2019-11358

Vulnerable Library - jquery-1.9.1.js

An open source front-end implementation that help you quickly construct modern multi-screen applications

Library home page: https://cdnjs.cloudflare.com/ajax/libs/zui/1.9.1/lib/jquery/jquery.js

Path to dependency file: /docs/images/PathExpressionLexer/index.html

Path to vulnerable library: /docs/images/PathExpressionLexer/index.html

Dependency Hierarchy:

• ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 2f9c45732966e371e172d466f8fd082d8797adbb

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2019-04-19

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: jquery/jquery@753d591

Release Date: 2019-03-25

Fix Resolution: Replace or update the following files: core.js, core.js

CVE-2015-9251

Vulnerable Library - jquery-1.9.1.js

An open source front-end implementation that help you quickly construct modern multi-screen applications

Library home page: https://cdnjs.cloudflare.com/ajax/libs/zui/1.9.1/lib/jquery/jquery.js

Path to dependency file: /docs/images/PathExpressionLexer/index.html

Path to vulnerable library: /docs/images/PathExpressionLexer/index.html

Dependency Hierarchy:

• ❌ jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 2f9c45732966e371e172d466f8fd082d8797adbb

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419

Release Date: 2015-10-12

Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js

[ibm-mend-app]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.