etherpad-lite
etherpad-lite copied to clipboard
ether
The included jquery version is vulnerable
Please email [email protected] with details of the security issue prior to posting here. Etherpad-Lite includes jQuery version 3.0.0
There are known security issues:
https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://nvd.nist.gov/vuln/detail/CVE-2020-11022 https://nvd.nist.gov/vuln/detail/CVE-2020-11023
Please update jQuery to the newest version. Thank you!
Thanks for reporting! First steps are https://github.com/ether/etherpad-lite/pull/5112
We still ship jquery directly, so we could just hard code the fixes instead of waiting for me to complete #5112 (unfortunately I'm not sure when I have time for this). EDIT: seems to be possible. for CVE-2020-11022 we should apply the work around.
Are we vulnerable to all of the three CVEs you posted? Just in case: please make sure to use the given mail address to discuss any PoCs. EDIT: never mind, because we ship jquery directly and a lot of plugins use our jquery version...
Unfortunately I am not so much into js. We did a pentest with a product what uses etherpad-lite and the pentester said that this should be updated because it is vulnerable. If you say that it is not vulnerable it would help. Otherwise it would be nice if you would use an updated or fixed version of jquery.
We haven't been notified w/ any PoC so this hasn't been actioned. Please use the appropriate channels for security related issues.
all of the CVEs mention a fix version of 3.5.0 or before.
current released version uses 3.7.0 https://github.com/ether/etherpad-lite/blob/v1.9.6/src/static/js/vendors/jquery.js
