JQuery Version in Nextcloud21/22

raman-ga · October 27, 2021, 6:54am

Hi Support

A vulnerability assessment for nextcloud 20.0.08 has come up with jQuery version 2.2.4 being still vulnerable. What’s the jQuery version in nextcloud 22 ? I don’t see any details for the same in the changelog.

Could you please help ?

devnull · October 27, 2021, 7:10am

You find the jQuery version in

https://raw.githubusercontent.com/nextcloud/server/master/core/js/dist/main.js

On running nextcloud servers get
https://cloud.server.tld/core/js/dist/main.js

Example Nextcloud 22:
https://demo1.nextcloud.com/core/js/dist/main.js

Put result (e.g. Nextcloud 22) in https://beautifier.io and search “jquery”:

w.fn = w.prototype = {
            jquery: "3.3.1",

Sorry. But this it is also only a number. Perhaps it is not correct.

Text in https://raw.githubusercontent.com/nextcloud/server/master/core/js/dist/main.js

/*!
 * jQuery JavaScript Library v3.3.1
 * https://jquery.com/
 *
 * Includes Sizzle.js
 * https://sizzlejs.com/
 *
 * Copyright JS Foundation and other contributors
 * Released under the MIT license
 * https://jquery.org/license
 *
 * Date: 2018-01-20T17:24Z

Found also an issue corresponding jQuery and new versions.

raman-ga · October 27, 2021, 9:48am

Thanks for the reply. I see that its still 3.3.1. As per the assessment[URL given below], they expect version 3.5.0 or above.
Is this product[nextcloud 20.X or above] affected by the below vulnerability ?

https://www.tenable.com/plugins/was/112383

tinaguerdon · November 11, 2021, 9:36am

I am facing the same issue as well. I have upgraded to Nextcloud 22 with jquery version 3.3.1 but it is still vulnerable to below CVEs. Any update from Nextcloud support on this?
CVE-2020-11023
CVE-2020-11022
CVE-2019-11358

rakekniven · November 11, 2021, 10:11am

This is the community forum and not the right place to address such issues.

Please check Issues · nextcloud/server · GitHub for already reported security issues.
If nothing is there, please file a new one.

Thank you for taking care of such issues.

vvoitiuk · February 22, 2022, 3:26pm

Hi @rakekniven

Can you please advise how we can check already created security issues now?
As I see now this resource https://hackerone.com/nextcloud?type=team&view_policy=true is not really a bug tracker where I can check already created issues.

I looking for a way to report about jquery 3.3.1 issues regarding
CVE-2020-11023
CVE-2020-11022
CVE-2019-11358

nickvergessen · February 23, 2022, 7:57am

The problematic functions have been patched out since a long time so although an older version is used the Nextcloud code base is not vulnerable