Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#29029 closed Bug (wontfix)

Django 1.8.18 admin uses jquery version with security issues

Reported by: Michael Clagett Owned by: nobody
Component: contrib.admin Version: 1.8
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Jquery 1.11.2 has known security issues.: https://github.com/jquery/jquery/issues/2432

Change History (3)

comment:1 by Tim Graham, 7 years ago

Resolution: wontfix
Status: newclosed

As far as I saw, the admin doesn't use any of the features of jQuery which are vulnerable. If you found differently, please contact security@….

comment:2 by Louis-Dominique Dubeau, 7 years ago

There is also an XSS vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2015-9251) present in all jQuery versions prior to 3.x. If I'm reading Django's git logs correctly, master contains jQuery 3.x but no version of Django with jQuery 3.x has been released yet. So all released versions are at risk.

Even if Django's own code does not make use of the vulnerable functions, it remains that:

  1. Developers basing their sites on Django and customizing their admin interface use the jQuery shipped with Django.
  1. 3rd party libraries that augment the admin interface also use the jQuery that is shipped with Django.
Version 0, edited 7 years ago by Louis-Dominique Dubeau (next)

comment:3 by Tim Graham, 7 years ago

Correct, and doing a major jQuery version upgrade on the stable releases is too risky, I think.

Note: See TracTickets for help on using tickets.
Back to Top