Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tastypie-swagger: jquery-1.8.0.min.js is vulnerable #3436

Closed
damiencarol opened this issue Dec 9, 2020 · 6 comments
Closed

tastypie-swagger: jquery-1.8.0.min.js is vulnerable #3436

damiencarol opened this issue Dec 9, 2020 · 6 comments
Labels
security
Milestone
2.0.0

Comments

@damiencarol
Copy link
Contributor

DefectDojo use django-tastypie-swagger which use JQuery 1.8.0 (vulnerable to multiple security issues).

Finding

File Path: tastypie_swagger\static\tastypie_swagger\js\lib\jquery-1.8.0.min.js
MD5: cd8b0bffc85bb5614385ee4ce3596d07
SHA1: 359c6c1ed98081b9a69eb3513b9deced59c957f9
SHA256:d73e2e1bff9c55b85284ff287cb20dc29ad9165ec09091a0597b61199f330805

References

CVE-2012-6708
CVE-2015-9251
CVE-2019-11358
CVE-2020-11022
CVE-2020-11023
@valentijnscholten
Copy link
Member

valentijnscholten commented Dec 9, 2020
edited
Loading

Thanks, good to remind us that dependabot doesn't update static dependencies bundled with other dependencies.
Next time please follow the security policy when reporting vulnerabilities as described: https://github.com/DefectDojo/django-DefectDojo/security/policy
API v1 is EOL life end of the month, which would allow us possibly to remove the swagger ui for API v1.

@valentijnscholten
Copy link
Member

valentijnscholten commented Dec 9, 2020
edited
Loading

concentricsky/django-tastypie-swagger#140 maybe someone can submit a PR to them :-)

At first sight the vulnerabilities don't look to severe, but there might be a lot more not officially known.

@valentijnscholten valentijnscholten changed the title jquery-1.8.0.min.js is vulnerable tastypie-swagger: jquery-1.8.0.min.js is vulnerable Dec 9, 2020
@damiencarol
Copy link
Contributor Author

damiencarol commented Jan 4, 2021
edited
Loading

Made few discover,

  1. It seems the project is dead since 2015...
  2. in fact we use a fork => https://github.com/DefectDojo/django-tastypie-swagger (see ref: https://github.com/DefectDojo/django-DefectDojo/blob/master/requirements.txt#L21)

So maybe I can push a PR on the fork.

@valentijnscholten do you know if we have enough tests on th UI to do this kind of upgrade?

@valentijnscholten
Copy link
Member

There are no tests covering that, but the only place it is used is on the APIv1 docs: https://defectdojo/api/v1/doc/.
Which is deprecated. But a quick update to 1.12.4 might work and resolve most vulnerabilities.

@damiencarol
Copy link
Contributor Author

damiencarol commented Jan 5, 2021
edited
Loading

Version 1.12.4 still has few XSS 😅 . If it's part of the APIv1 let's come back to this issue after we remove v1.
Could you assign it to me to keep a trace of it?

@valentijnscholten valentijnscholten added this to the 2.0.0 milestone Apr 26, 2021
@valentijnscholten valentijnscholten mentioned this issue May 1, 2021
Merged
@madchap madchap closed this as completed May 2, 2021
@valentijnscholten
Copy link
Member

removed as part of api v1 removal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
3 participants
@damiencarol @valentijnscholten @madchap