Vulnerable JavaScript libraries

[kravietz]

Steps to reproduce

1. Install Retire.js extension in your browser
2. Walk through the pages of a latest NextCloud instance
3. See the following vulnerable JavaScript dependencies pop-up in JavaScript console:

Loaded script with known vulnerabilities: https://example.com/core/js/dist/main.js?v=14e0c884
 - jquery 2.1.4 - Info: https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 - jquery-migrate 1.4.1 - Info:
 - jquery-ui-dialog 1.12.1 - Info:
 - jquery-ui-autocomplete 1.12.1 - Info:
 - jquery-ui-tooltip 1.12.1 - Info: content.js:19:13
Loaded script with known vulnerabilities: https://example.com/settings/js/vue-settings-personal-security.js?v=14e0c884
 - bootstrap 3.3.5 - Info: https://github.com/twbs/bootstrap/issues/28236 https://github.com/twbs/bootstrap/issues/20184 https://github.com/twbs/bootstrap/issues/20184 https://github.com/twbs/bootstrap/issues/20184 content.js:19:13
Loaded script with known vulnerabilities: https://example.com/custom_apps/twofactor_u2f/js/settings.js?v=14e0c884
 - bootstrap 3.3.5 - Info: https://github.com/twbs/bootstrap/issues/28236 https://github.com/twbs/bootstrap/issues/20184 https://github.com/twbs/bootstrap/issues/20184 https://github.com/twbs/bootstrap/issues/20184

jquery-ui was also previously reported here #12980 #12960 but please note that upgrade of Bootstrap and JQuery should be very easy as these are minor patchlevel upgrades.

Server configuration

Operating system: Linux

Web server: Nginx

Database: MySQL

PHP version:

Nextcloud version: Nextcloud 16.0.5.1

Updated from an older Nextcloud/ownCloud or fresh install:

[kesselb]

jQuery should be a false positive: #6720

cc @nextcloud/javascript

[skjnldsv]

Yep, it is also fixed in the newest nextcloud versions.

please note that upgrade of Bootstrap and JQuery should be very easy as these are minor patchlevel upgrades.

Actually not (quoting jQuery repo):

The issue was patched in jQuery 3.0.0 and erroneously backported to 1.12/2.2. The change has been reverted in 1.12.3/2.2.3 as it was a breaking change; it will not be brought back there.

We're stuck with removing jQuery slowly.
Keep in mind that we manually disabled the problematic functions of jQuery. So we're in fact safe to use jQuery here.
https://github.com/nextcloud/server/blob/7dc5bbae39413e3986bbc35ad512582f073143cb/core/src/jquery/index.js