0026384: Outdated jquery and bootstrap copies with known vulnerabilities - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0026384	mantisbt	security	public	2019-11-24 08:31	2019-12-09 15:04

Reporter	hanno	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	duplicate
Product Version	2.22.1

Summary	0026384: Outdated jquery and bootstrap copies with known vulnerabilities
Description	The bootstrap code contains two copies of jquery: ./js/jquery-2.2.4.min.js ./vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML/Renderer/Template/js/jquery.min.js (version 1.11.3) And also a copy of bootstrap 3.3.4: ./vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML/Renderer/Template/css/bootstrap.min.css Both have known vulnerabilities, e.g. [1][2] (which doesn't necessarily mean these are exploitable in the way bootstrap/jquery is used within mantis, these js/css framework vulns are often very specific to certain usecases - still I think known vulnerable components should be updated). The latter two seem to be part of php-code-coverage, which has recently updated these: https://github.com/sebastianbergmann/php-code-coverage/commit/cfc7f556bef3458d4b052c76579c376bc4b96205 https://github.com/sebastianbergmann/php-code-coverage/commit/0e6ad854dc76bd6751e3b3b15aa78e6b8605996f So updating the bundled php-code-coverage would fix those. [1] https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ [2] https://www.cvedetails.com/cve/CVE-2019-11358/
Tags	No tags attached.

dregad 2019-11-25 07:33 developer ~0063138	Thanks for the report. The problem with jQuery 2.2.4 has already been reported (see 0026357), so I'm closing as duplicate. With regards to Bootstrap, the issue is basically the same, even worse actually considering that it is very closely tied in to the ACE admin template we're using. Unfortunately, we the latter is no longer supported so I'm not sure how this will be addressed. I guess at some point we'll have to switch to another template. Long story short, we're stuck with Bootstrap 3 for now, and we are using the latest available release (3.4.1). As for the phpunit dependency you referenced, please note that this is only used for development purposes, so I don't believe a production MantisBT would be vulnerable. That being said, I just realized that our release build script is not calling composer with the `--no-dev` option, so these get included even though they should not. I've opened 0026385 to track this issue.

duplicate of	0026357	acknowledged		Vulnerability from library JQuery 2.2.4
related to	0026385	closed	dregad	Release packages and nightly build should not include development dependencies