Varun Ganesh created SLING-7789:
-----------------------------------
Summary: Security bug CVE-2015-9251 with some sling dependent jars
Key: SLING-7789
URL: https://issues.apache.org/jira/browse/SLING-7789
Project: Sling
Issue Type: Bug
Components: Extensions, Launchpad
Affects Versions: Sling Explorer 1.0.4, Sling Explorer 1.0.2, Launchpad
Builder 6
Reporter: Varun Ganesh
Hi Experts,
In our product we are using Sling version 6 in one of our release.(Working
on Migration to Sling 10 for next versions)
Recently we came across a security bug CVE-2015-9251.
(CVE-2015-9251 is a vulnerability to allow an attacker to execute arbitrary
code when text/javascript responses are received from cross-origin ajax
requests not containing the option `dataType`. Its CVSS score is 6.1 in NVD.).
To fix this an up-gradation of jQuery to versions greater than 3.0.0 is
required.
In our product we are using two Sling dependencies which contains jQuery.
1) org.apache.sling.launchpad.webapp - v6 (war) - contains
org.apache.felix.webconsole-3.1.6.jar which internally uses jQuery v1.3.2.js.
2) org.apache.sling.extensions.explorer - v1.0.3(jar) - contains jQuery
v1.4.2.min.js
As part of the fix for the security bug we need to upgrade the jQuery in
the jars that are mentioned above.
For that we checked the latest versions for the above mentioned jars and
identified that the jQuery versions are not above v3.0.0.
So could you please help us in upgrading them as soon as possible.
Thanks,
Varun.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
