#29029 closed Bug (wontfix)
Django 1.8.18 admin uses jquery version with security issues
Reported by: | Michael Clagett | Owned by: | nobody |
---|---|---|---|
Component: | contrib.admin | Version: | 1.8 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
Jquery 1.11.2 has known security issues.: https://github.com/jquery/jquery/issues/2432
Change History (3)
comment:1 by , 7 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 by , 7 years ago
There is also an XSS vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2015-9251) present in all jQuery versions prior to 3.x. If I'm reading Django's git logs correctly, master
contains jQuery 3.x but no version of Django with jQuery 3.x has been released yet. So all released versions are at risk.
Even if Django's own code does not make use of the vulnerable functions, it remains that:
- Developers basing their sites on Django and customizing their admin interface use the jQuery shipped with Django.
- 3rd party libraries that augment the admin interface also use the jQuery that is shipped with Django.
comment:3 by , 7 years ago
Correct, and doing a major jQuery version upgrade on the stable releases is too risky, I think.
As far as I saw, the admin doesn't use any of the features of jQuery which are vulnerable. If you found differently, please contact security@….