Bundled jquery library, version 1.12.4 is vulnerable.

1 Answer 1123 Views
General Discussions
Justin
Top achievements
Rank 1
Justin asked on 29 Sep 2021, 10:21 AM

On my OWASP ZAP scans of our app (which uses asp.ajax controls 2021.3), I get the following warning (see below).

Could you please advise whether there's any plans to update the embedded jquery library to the latest?

 

Medium (Medium)Vulnerable JS Library
Description

The identified library jquery, version 1.12.4 is vulnerable.

URLhttps://test.xxxxx.com/Telerik.Web.UI.WebResource.axd?_TSM_CombinedScripts_=%3B%3BSystem.Web.Extensions%2C%20Version%3D4.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35%3Aen-GB%3Aba1d5018-bf9d-4762-82f6-06087a49b5f6%3Aea597d4b%3Ab25378d2%3BTelerik.Web.UI%2C%20Version%3D2021.3.914.45%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D121fae78165ba3d4%3Aen-GB%3Abd4f5d20-e2f4-41b1-99ef-02ee4a064af0%3A16e4e7cd%3Af7645509%3Aed16cbdc%3A88144a7a%3A33715776%3A24ee1bba%3A6d43f6d9%3Ac128760b%3A874f8ea2%3A19620875%3Ac172ae1e%3Af46195d3%3A9cdfc6e7%3Ae330518b%3A2003d0b8%3A1e771326%3Ac8618e41%3Ae4f8f289%3A1a73651d%3A16d8629e&_TSM_HiddenField_=RadScriptManager1_TSM&compress=1
MethodGET
Evidence/*! jQuery v1.12.4
Instances1
Solution

Please upgrade to the latest version of jquery.

Other information

CVE-2020-11023

CVE-2020-11022

CVE-2015-9251

CVE-2019-11358

Reference

https://github.com/jquery/jquery/issues/2432

http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

http://research.insecurelabs.org/jquery/test/

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

https://nvd.nist.gov/vuln/detail/CVE-2019-11358

https://nvd.nist.gov/vuln/detail/CVE-2015-9251

https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

https://bugs.jquery.com/ticket/11974

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

CWE Id829
Source ID3

 

1 Answer, 1 is accepted

Sort by
0
Vessy
Telerik team
answered on 30 Sep 2021, 07:03 AM

Hello Justin,

Our official statement is that we can not, unfortunately, upgrade the jQuery to its latest release because it is not compatible with the MS AJAX (ASP.NET Web Forms) framework. The __doPostBack method of MS AJAX does not work (postback) with jQuery 3.x.x (see Breaking change: jQuery 3.0 runs in Strict Modehere and here).

We did try to upgrade the embedded jQuery version in the past and you can find some of the related issues we have noticed listed in the following forum post - https://www.telerik.com/forums/known-issues-and-important-changes#KKI7NGE4P0K-jwQGL525dA

That's why we downgraded to 1.12.4 and backported all security fixes provided by jQuery to that custom version. We will continue to port the security fixes from the new jQuery versions to the custom jQuery build distributed with the Telerik AJAX controls.

You can find a list of security fixes introduced to the custom jQuery script embedded in the Telerik.Web.UI assembly in the Embedded jQuery Security section in our documentation

Having in mind that the known vulnerabilities for jQuery 1.12.4  are not present in the custom embedded jQuery version, there is no need to upgrade the embedded jQuery. It is enough if you use Telerik version R2 2020 or later.

For your convenience, I am pasting the related part of the Embedded jQuery Security section in our documentation:

As of R1 2019, Telerik UI for ASP.NET AJAX ships a custom jQuery 1.12.4, with backport fixes incorporated to eliminate known vulnerability issues for 1.12.4 version. Here is a list of security fixes introduced to the custom jQuery script embedded in the Telerik.Web.UI assembly.

An alternative approach is to Disable the embedded jQuery in the Telerik assembly and to import the latest one. To open the jquery-3.x.x.min.js file and to remove the 'use strict' statement from its beginning and save it. This is not a tested solution and I am not aware of any side effects that might occur. 

Kind regards,
Vessy
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Justin
Top achievements
Rank 1
commented on 30 Sep 2021, 07:19 AM

Hi Vessy,

thank you for the very comprehensive answer. You have given me the response I need which will help me to get past my outstanding pen testing issues. I'm happy to run with the supported version of jquery as it is knowing that you're back porting the security fixes into that version.

thanks again,

Justin 

Vessy
Telerik team
commented on 01 Oct 2021, 08:06 AM

You are more than welcome, Justin :) I am glad the provided information is helpful for you!
Tags
General Discussions
Asked by
Justin
Top achievements
Rank 1
Answers by
Vessy
Telerik team
Share this question
or