Followup: jQuery library update

Loaded script with known vulnerabilities: https://graylog/assets/vendor.552834c48b86209e305c.js

• jquery 2.1.4 - Info: Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses · Issue #2432 · jquery/jquery · GitHub jQuery 2.2 and 1.12 Released | Official jQuery Blog http://research.insecurelabs.org/jquery/test/ #11974 ($.parseHTML has ( lots ) of xss issues and can't be labeled as secure in its current implementation) - jQuery - Bug Tracker http://research.insecurelabs.org/jquery/test/
  Loaded script with known vulnerabilities: https://graylog/assets/app.e32c01d85dfc6cc7c0cd.js
• bootstrap 3.3.7 - Info: https://github.com/twbs/bootstrap/issues/20184

Source: GitHub - RetireJS/retire.js: scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.

Thank you for the links!

• Regarding jQuery, we already updated the library used in Graylog 3.0: https://github.com/Graylog2/graylog2-server/pull/4507
• Bootstrap’s issue is unfortunately not so easy to fix for us, as there is no Bootstrap 3.x release fixing that security issue. Bootstrap 4 is backwards incompatible and we currently rely on dependencies that require Bootstrap 3: https://github.com/Graylog2/graylog2-server/pull/4601 and https://github.com/Graylog2/graylog2-server/issues/4603

NP.

Anyway, Bootstrap 3 seems to be deprecated (no activity on that branch last 9 months), so you’ll have to bite the extra effort of adjusting the code to Bootstrap 4 anyway…

/P

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.