request #42980 Library jquery 1.9.1 is vulnerable

Infos

Artifact ID#42980

Submitted byNicolas Vanderhofstadt (nicolascentran)

Last Modified On2025-05-26 10:24

Submitted on2025-05-12 13:25

Rank44689

Details

Summary *

Library jquery 1.9.1 is vulnerable

Original Submission

Hello. we are using the latest Community version.

Our security tools has detected that the library jquery 1.9.1 is vulnerable with a medium risk :

CVE-2020-11023 CVE-2020-11022

Do you know if an update will be done about it (or could you do it) ?

Thank you in advance.

Kind Regards

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2025-05-22

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #42980

Git commit

tuleap/tuleap/stable

chore: Remove vendoring of jQuery/jQuery-ui 6c81952847

Thomas Gerbet (tgerbet) , 2025-05-22 14:39

fix: Cannot add a new tracker report renderer 176442fa53

Thomas Gerbet (tgerbet) , 2025-05-28 15:46

fix: Cannot toggle tracker aggregation functions in the tracker view 8b090d4be0

Thomas Gerbet (tgerbet) , 2025-06-02 13:58

Show items referenced by request #42980

Referenced by request #42980

Artifact

request #39762 Get Rid of JQuery

rel #41834 16.9

Git commit

tuleap/tuleap/stable

chore: Remove vendoring of jQuery/jQuery-ui 6c81952847

Thomas Gerbet (tgerbet) , 2025-05-22 14:39

Other

Follow-ups

Joris MASSON (jmasson)

2025-05-22 16:17

Connected artifacts
- Added Fixed in: rel #41834

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-05-22 16:16

Closed by @tgerbet with git #tuleap/stable/6c81952847b4571fefff2eb9158ab18db5b05715.

Status changed from New to Closed
Close date set to 2025-05-22

Thomas Gerbet (tgerbet)

2025-05-13 11:11

Made an attempt to remove the vendoring of these old versions. It looks okayish, see gerrit #34421. Will try to move it forward for Tuleap 16.9.

Thomas Gerbet (tgerbet)

2025-05-12 16:37

Hello,

To re-assure you, we are not aware of injection points allowing to exploit CVE-2020-11022 or CVE-2020-11023.

We are getting rid of jQuery opportunistically overall whenever we can (art #39762) but removing it completely is unlikely to happen in short term.

That's being said in the current situation we might be able to get rid of these really old version at least to prevent it from being flagged.

Category changed from Continuous Integration to Other
Reported in version changed from 16.7 to All