We are using Confluence 7.19.0 LTS and the pentest reported a vulnerability in our Confluence. If we upgrade to 7.20.2. will the Jquery be updated to a 3.X version?
The library jquery version 2.2.4 has known security issues.
For more information, visit those websites:
- https://github.com/jquery/jquery/issues/2432
- http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
- https://nvd.nist.gov/vuln/detail/CVE-2015-9251
- http://research.insecurelabs.org/jquery/test/
Affected versions
The vulnerability is affecting all versions prior 3.0.0-beta1 (between 1.12.3 and 3.0.0-beta1)
I understand from the description that you are trying to understand if Confluence server running on 7.19.0 version is using a vulnerable version of jQuery(2.2.4), related to CVE-2015-9251
I have checked internally with our security team about Confluence being affected by the CVE-2015-9251 vulnerability, and they verified that this exploit is not affecting Confluence 7.0.1 or newer.
This is not version 3 of jQuery, but Atlassian maintains its own fork of jQuery, and that forked version has been patched.
I hope this helps.
Regards,
Andy
Hi Andy,
Sorry for not requesting this follow-up question in the previous request.
Does this also apply to moment.js?
The library moment.js version 2.29.3 has known security issues.
For more information, visit those websites:
- https://security.snyk.io/vuln/SNYK-JS-MOMENT-2944238
- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
Affected versions
The vulnerability is affecting all versions prior 2.29.4 (between 2.18.0 and 2.29.4)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Cor Zijlstra ,
If you have found a vulnerability, please report it in https://www.atlassian.com/trust/security/report-a-vulnerability
If you are looking for support, then please raise a ticket in https://support.atlassian.com/contact/#/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If I follow both suggested URL's I finally end up here in the community again,.
Probably because of the starter license?
Thx!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.