Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential jquery-ui Vulnerability (CVE-2022-31160) #19637

Closed
heurteph-ei opened this issue Aug 17, 2022 · 2 comments
Closed

Potential jquery-ui Vulnerability (CVE-2022-31160) #19637

heurteph-ei opened this issue Aug 17, 2022 · 2 comments
Labels
answered For when a question was asked and we referred to forum or answered it. Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced.

Comments

@heurteph-ei
Copy link

Expected Behavior / Current Behavior

we continiously scan all our Products and Packages which we use in our Production Environment.
Afterwards we decide if a found CVE is vaiable or not. We have Matomo Version 4.10.1 in use and our Scanning Tool of Choice (Sonartype NexusIQ) found the following Vulnerability:

CVW-2022-31160: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160
CVE CVE: https://cwe.mitre.org/data/definitions/79.html

Explanation (shortened):

The jquery-ui package is vulnerable to Cross-Site Scripting (XSS) attacks. In cases where the checkboxradio widget is initialized within a label element, the _getCreateOptions() function in checkboxradio.js will erroneously decode any encoded HTML elements within the label when the .checkboxradio( "refresh" ) function is invoked.

Description:

Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

Detection:

The application is vulnerable by using this component if users are able to manipulate the contents of label elements that also contain a checkboxradio widget.

So, I have to kind of evaluate, if this CVE is viable or not. Actually, I would say it´s not, cause Matomo doesn´t use the described functions or „label elements that contain a checkboxradio widget“.

Please let me know if I´m wrong. 😉

Any Plans of Updating jQuery UI in future Releases?

Possible Solution

Remove any reference to jQuery/jQuery UI

See also

#17272

Context

https://forum.matomo.org/t/potential-jquery-ui-vulnerability-cve-2022-31160/46970
@heurteph-ei heurteph-ei added the Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. label Aug 17, 2022
@MatomoForumNotifications
Copy link

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/potential-jquery-ui-vulnerability-cve-2022-31160/46970/2

@sgiehl
Copy link
Member

sgiehl commented Aug 17, 2022

We may fully remove jQuery UI as part of #16033
Besides that we are not aware of any CVE reported for jQuery UI that really affects Matomo.
As we are not using many parts of jQuery UI anymore, most reports affect parts we don't use at all - like this one.

@sgiehl sgiehl closed this as not planned Won't fix, can't repro, duplicate, stale Aug 17, 2022
@sgiehl sgiehl added the answered For when a question was asked and we referred to forum or answered it. label Aug 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sgiehl @heurteph-ei @MatomoForumNotifications