View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026384 | mantisbt | security | public | 2019-11-24 08:31 | 2019-12-09 15:04 |
Reporter | hanno | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | duplicate | ||
Product Version | 2.22.1 | ||||
Summary | 0026384: Outdated jquery and bootstrap copies with known vulnerabilities | ||||
Description | The bootstrap code contains two copies of jquery: And also a copy of bootstrap 3.3.4: Both have known vulnerabilities, e.g. [1][2] (which doesn't necessarily mean these are exploitable in the way bootstrap/jquery is used within mantis, these js/css framework vulns are often very specific to certain usecases - still I think known vulnerable components should be updated). The latter two seem to be part of php-code-coverage, which has recently updated these: So updating the bundled php-code-coverage would fix those. [1] https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ | ||||
Tags | No tags attached. | ||||
Thanks for the report. The problem with jQuery 2.2.4 has already been reported (see 0026357), so I'm closing as duplicate. With regards to Bootstrap, the issue is basically the same, even worse actually considering that it is very closely tied in to the ACE admin template we're using. Unfortunately, we the latter is no longer supported so I'm not sure how this will be addressed. I guess at some point we'll have to switch to another template. Long story short, we're stuck with Bootstrap 3 for now, and we are using the latest available release (3.4.1). As for the phpunit dependency you referenced, please note that this is only used for development purposes, so I don't believe a production MantisBT would be vulnerable. That being said, I just realized that our release build script is not calling composer with the |
|