Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure jquery 2.1.4 #20328

Closed
kravietz opened this issue Apr 6, 2020 · 2 comments
Closed

Insecure jquery 2.1.4 #20328

kravietz opened this issue Apr 6, 2020 · 2 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug needs info

Comments

@kravietz
Copy link

kravietz commented Apr 6, 2020

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Steps to reproduce

  1. Install Retire.js
  2. Browse to any page on an Nextcloud 18.0.3 instance
  3. Watch JavaScript console for security warnings from Retire

Expected behaviour

No security warnings

Actual behaviour

Loaded script with known vulnerabilities: https://nextcloud.krvtz.net/nextcloud/core/js/dist/main.js?v=1735f379-0
 - jquery 2.1.4 - Info: https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 - jquery-migrate 1.4.1 - Info: 
 - jquery-ui-dialog 1.12.1 - Info: 
 - jquery-ui-autocomplete 1.12.1 - Info: 
 - jquery-ui-tooltip 1.12.1 - Info: 

Server configuration

Operating system: Linux

Web server: Apache

Database: PostgreSQL

PHP version: 7.3

Nextcloud version: 18.0.3

Updated from an older Nextcloud/ownCloud or fresh install: from 18.0.2

Where did you install Nextcloud from:

Signing status:

Signing status
No errors have been found.

List of activated apps:

App list
Enabled:
  - accessibility: 1.4.0
  - activity: 2.11.0
  - bruteforcesettings: 1.6.0
  - calendar: 2.0.2
  - cloud_federation_api: 1.1.0
  - comments: 1.8.0
  - contacts: 3.2.0
  - dav: 1.14.0
  - federatedfilesharing: 1.8.0
  - federation: 1.8.0
  - files: 1.13.1
  - files_fulltextsearch: 1.4.2
  - files_fulltextsearch_tesseract: 1.4.1
  - files_pdfviewer: 1.7.0
  - files_rightclick: 0.15.2
  - files_sharing: 1.10.1
  - files_trashbin: 1.8.0
  - files_versions: 1.11.0
  - files_videoplayer: 1.7.0
  - firstrunwizard: 2.7.0
  - fulltextsearch: 1.4.1
  - logreader: 2.3.0
  - lookup_server_connector: 1.6.0
  - maps: 0.1.6
  - metadata: 0.11.1
  - nextcloud_announcements: 1.7.0
  - notifications: 2.6.0
  - oauth2: 1.6.0
  - password_policy: 1.8.0
  - photos: 1.0.0
  - privacy: 1.2.0
  - provisioning_api: 1.8.0
  - recommendations: 0.6.0
  - serverinfo: 1.8.0
  - settings: 1.0.0
  - sharebymail: 1.8.0
  - support: 1.1.0
  - survey_client: 1.6.0
  - systemtags: 1.8.0
  - tasks: 0.12.1
  - text: 2.0.0
  - theming: 1.9.0
  - twofactor_backupcodes: 1.7.0
  - twofactor_totp: 4.1.3
  - twofactor_u2f: 5.1.0
  - updatenotification: 1.8.0
  - viewer: 1.2.0
  - workflowengine: 2.0.0

Nextcloud configuration:

Config report
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "XXX",
            "nextcloud.XXX"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "18.0.3.0",
        "overwrite.cli.url": "http:\/\/XXX\/nextcloud",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: No

Are you using encryption: No

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Firefox

Operating system: Linux

Logs

Provided above. Server-side logs irrelevant in this case.

Browser log

Browser log
Provided above.
</details>
@kravietz kravietz added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Apr 6, 2020
@kesselb
Copy link
Contributor

kesselb commented Apr 6, 2020

Are you a bot? ;) #17959

@kravietz
Copy link
Author

kravietz commented Apr 6, 2020

@kesselb Definitely not :) But I'm posting quite a lot of these to projects I use that I simply forgot it was already submitted & closed. I now see the announcement about Nextcloud 19 which is great, closing this one.

@kravietz kravietz closed this as completed Apr 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug needs info
Projects
None yet
Development

No branches or pull requests

2 participants