Page 1 of 1
jquery vulnerability
Posted: Tue Jul 14, 2020 3:53 am
by Nuggel1234
Hi,
we are using Nagios XI 5.7.1
Today we get the information, that there is a vulerability in jquery prior to 3.5.0
CVE-2020-11022
JQuery is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
Affected Versions:
jQuery versions greater than or equal to 1.2 and before 3.5.0.
QID Detection Logic(Unauthenticated):
It checks for vulnerable versions of jQuery from default web page.
Vendor has advised to Upgrade jquery to version 3.5.0
Is this possible or will this be fixed in the next update?
Thank you
Re: jquery vulnerability
Posted: Tue Jul 14, 2020 9:39 am
by scottwilkerson
jQuery was updated to 3.5.1 when Nagios XI version 5.7.1 was released. Can you give anymore information on this report?
Re: jquery vulnerability
Posted: Wed Jul 29, 2020 3:41 am
by Nuggel1234
Sorry for the late response.
We told the security guys, that the patch have to be implemented.
But we get the answer, that the issue is here:
https://XXXXXXXXXXXXXX/nagiosxi/include ... 3.1.min.js
How can we fix this issue?
Thank you
Re: jquery vulnerability
Posted: Wed Jul 29, 2020 2:50 pm
by scottwilkerson
This file is not used in any pages that are loaded in the direct GUI.
This version is used by the backend to create PDFs for reports because the current version isn't supported for that, but these are not run through the GUI web interface.
Re: jquery vulnerability
Posted: Fri Jul 31, 2020 5:10 am
by Nuggel1234
But we have to remove it or block it, because the security scan detects it. So I understand, but it's a issue for us.
Is there a way to deactivate or remove it? We don't create pdfs.
Thank you
Re: jquery vulnerability
Posted: Fri Jul 31, 2020 12:53 pm
by lmiltchev
Is there a way to deactivate or remove it? We don't create pdfs.
If you are not using this feature (creating PDFs), you could safely remove the offending js file.
Re: jquery vulnerability
Posted: Mon Aug 03, 2020 12:10 am
by Nuggel1234
lmiltchev wrote:Is there a way to deactivate or remove it? We don't create pdfs.
If you are not using this feature (creating PDFs), you could safely remove the offending js file.
How do I remove this version of jquery?
Re: jquery vulnerability
Posted: Mon Aug 03, 2020 9:28 am
by lmiltchev
You can go to the jquery directory from the command line:
Code: Select all
cd /usr/local/nagiosxi/html/includes/js/jquery/
and list the contents to see what you have in it.
You can remove the file that you don't need by running:
where you substitute "x.x.x" with the actual version numbers.
We only need the jquery-3.5.1.min.js and jquery-1.12.4.min.js (that second one is for generating PDFs using wkhtmltopdf). You can remove the other "old" versions, and jquery-1.12.4.min.js (if you are not planning on generating PDFs).
Hope this helps.
Re: jquery vulnerability
Posted: Fri Sep 04, 2020 3:25 am
by Nuggel1234
I think should fix the problem. Until now there was now new positive scan.
Thank you
Re: jquery vulnerability
Posted: Fri Sep 04, 2020 6:53 am
by scottwilkerson
Nuggel1234 wrote:I think should fix the problem. Until now there was now new positive scan.
Thank you
Great
Closing thread