Vulnerable JQuery

Wealot · October 16, 2019, 8:14am

It seems that my server installation has two JQuery libraries that have known vulnerabilities.
I am running the latest OwnCloud (10.2.1).
I just want to find out two things:

Is this correct, or did I do something wrong during upgrade or whatever?
If it is correct is there a timeline that these will be updated?

The vulnerable JQuery libraries are:
jquery-ui-dialog found in: https://{DOMAIN}.com/owncloud/core/vendor/jquery-ui/ui/jquery-ui.custom.js?v=1ae480d407a541fe0346f42c2eb667f3

and

jquery found in: https://{DOMAIN}.com/owncloud/core/vendor/jquery/dist/jquery.min.js?v=1ae480d407a541fe0346f42c2eb667f3

Thanks in advance to any of the answerers

tom42 · October 16, 2019, 4:11pm

Hey,

i think this question is probably better redirected to the ownCloud team at https://github.com/owncloud/core/issues. It looks to me that this issue below could be related which has originated from the discussion in https://central.owncloud.org/t/owncloud-server-10-3-0-rc1-is-available/22056/2:

According to @cs35 in that issue it seems demo.owncloud.org doesn’t show up a vulnerability while his own installation seems to report a vulnerability. So i think it could be indeed possible that a 3rdparty app is using a vulnerable older jQuery version.

cs35 · October 17, 2019, 7:12am

Hello everyone,

as I stated in the Github issue it seems to be from there. We can only wait for it to be ugpraded. Now that 10.3.0 is out I hope it comes in a 10.3.1

Wealot · October 17, 2019, 1:47pm

Thanks for your replies!
I’ll go through the apps and just wait for updates