jquery vulnerability

[Nuggel1234]

Hi,

we are using Nagios XI 5.7.1
Today we get the information, that there is a vulerability in jquery prior to 3.5.0

CVE-2020-11022

JQuery is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
Affected Versions:
jQuery versions greater than or equal to 1.2 and before 3.5.0.

QID Detection Logic(Unauthenticated):
It checks for vulnerable versions of jQuery from default web page.

Vendor has advised to Upgrade jquery to version 3.5.0


Is this possible or will this be fixed in the next update?

Thank you

[scottwilkerson]

jQuery was updated to 3.5.1 when Nagios XI version 5.7.1 was released. Can you give anymore information on this report?

[Nuggel1234]

Sorry for the late response.
We told the security guys, that the patch have to be implemented.

But we get the answer, that the issue is here:

https://XXXXXXXXXXXXXX/nagiosxi/include ... 3.1.min.js

How can we fix this issue?

Thank you

[scottwilkerson]

This file is not used in any pages that are loaded in the direct GUI.

This version is used by the backend to create PDFs for reports because the current version isn't supported for that, but these are not run through the GUI web interface.

[Nuggel1234]

But we have to remove it or block it, because the security scan detects it. So I understand, but it's a issue for us.
Is there a way to deactivate or remove it? We don't create pdfs.

Thank you

[lmiltchev]

Is there a way to deactivate or remove it? We don't create pdfs.

If you are not using this feature (creating PDFs), you could safely remove the offending js file.

[Nuggel1234]

Is there a way to deactivate or remove it? We don't create pdfs.

If you are not using this feature (creating PDFs), you could safely remove the offending js file.

How do I remove this version of jquery?

[lmiltchev]

You can go to the jquery directory from the command line:

Code: Select all

cd /usr/local/nagiosxi/html/includes/js/jquery/

and list the contents to see what you have in it.

Code: Select all

ls -la

You can remove the file that you don't need by running:

Code: Select all

rm -f jquery-x.x.x.min.js

where you substitute "x.x.x" with the actual version numbers.

We only need the jquery-3.5.1.min.js and jquery-1.12.4.min.js (that second one is for generating PDFs using wkhtmltopdf). You can remove the other "old" versions, and jquery-1.12.4.min.js (if you are not planning on generating PDFs).

Hope this helps.

[Nuggel1234]

I think should fix the problem. Until now there was now new positive scan.

Thank you

[scottwilkerson]

I think should fix the problem. Until now there was now new positive scan.

Thank you

Great

Closing thread