Hi Support
A vulnerability assessment for nextcloud 20.0.08 has come up with jQuery version 2.2.4 being still vulnerable. What’s the jQuery version in nextcloud 22 ? I don’t see any details for the same in the changelog.
Could you please help ?
Hi Support
A vulnerability assessment for nextcloud 20.0.08 has come up with jQuery version 2.2.4 being still vulnerable. What’s the jQuery version in nextcloud 22 ? I don’t see any details for the same in the changelog.
Could you please help ?
You find the jQuery version in
https://raw.githubusercontent.com/nextcloud/server/master/core/js/dist/main.js
On running nextcloud servers get
https://cloud.server.tld/core/js/dist/main.js
Example Nextcloud 22:
https://demo1.nextcloud.com/core/js/dist/main.js
Put result (e.g. Nextcloud 22) in https://beautifier.io and search “jquery”:
w.fn = w.prototype = {
jquery: "3.3.1",
Sorry. But this it is also only a number. Perhaps it is not correct.
Text in https://raw.githubusercontent.com/nextcloud/server/master/core/js/dist/main.js
/*!
* jQuery JavaScript Library v3.3.1
* https://jquery.com/
*
* Includes Sizzle.js
* https://sizzlejs.com/
*
* Copyright JS Foundation and other contributors
* Released under the MIT license
* https://jquery.org/license
*
* Date: 2018-01-20T17:24Z
Found also an issue corresponding jQuery and new versions.
Thanks for the reply. I see that its still 3.3.1. As per the assessment[URL given below], they expect version 3.5.0 or above.
Is this product[nextcloud 20.X or above] affected by the below vulnerability ?
I am facing the same issue as well. I have upgraded to Nextcloud 22 with jquery version 3.3.1 but it is still vulnerable to below CVEs. Any update from Nextcloud support on this?
CVE-2020-11023
CVE-2020-11022
CVE-2019-11358
This is the community forum and not the right place to address such issues.
Please check Issues · nextcloud/server · GitHub for already reported security issues.
If nothing is there, please file a new one.
Thank you for taking care of such issues.
Hi @rakekniven
Can you please advise how we can check already created security issues now?
As I see now this resource https://hackerone.com/nextcloud?type=team&view_policy=true is not really a bug tracker where I can check already created issues.
I looking for a way to report about jquery 3.3.1 issues regarding
CVE-2020-11023
CVE-2020-11022
CVE-2019-11358
The problematic functions have been patched out since a long time so although an older version is used the Nextcloud code base is not vulnerable