View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|
0034416 | mantisbt | security | public | 2024-04-23 09:37 | 2024-04-25 03:49 | ||||||
Reporter | Mickoloh | Assigned To | dregad | ||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||||
Status | resolved | Resolution | duplicate | ||||||||
Platform | Linux | OS | RedHat Enterprise Linux | OS Version | 9.3 | ||||||
Product Version | 2.26.1 | ||||||||||
Summary | 0034416: NESSUS reports vuln for jquery and typahead | ||||||||||
Description | Our Nessus scanner reports the following vulnerabilities: jquery is version 2.2.4, should be 3.5.0+ Related: Thanks! | ||||||||||
Additional Information | From ./library/README.md: MantisBT external librariesThis directory contains a copy the 3rd-party libraries used by MantisBT. The version and status of each is summarized below: ----snip---
----snip--- | typeahead.js | 1.3.0 | unpatched | | ||||||||||
Tags | No tags attached. | ||||||||||
Attached Files | |||||||||||
Thanks for the report. With regards to the jQuery vulnerability, this is a known issue that has already been reported to us several times (see 0026357). Unfortunately, we are currently on the latest available 2.x release, which is no longer receiving patches. Considering the number of breaking changes introduced by version 3.x, upgrading is not a small undertaking, and would require extensive testing to ensure full compatibility; sadly we do not have the bandwidth for taking this on at the moment. Contributions are welcome.
According to https://github.com/corejavascript/typeahead.js/releases, the latest available release is 1.3.4, not sure where you are getting the 3.5.0+ reference from. The changelog does not mention any specific vulnerabilities fixed between 1.3.0 and 1.3.4, although the 1.3.1 release includes updates of numerous npm dependencies to resolve vulnerability warnings. Follow-up in 0034417 for upgrade to 1.3.4. |
|
Hi! The 3.5.0+ was what Nessus indicated as the version in which the vulnerability was fixed - sorry about that! I'll definitely check out the 1.3.4 upgrade documentation. Thank you! |
|