Drupal 7.56 uses jQuery 1.4.4 which has several known vulnerabilities. Is Drupal therefore vulnerable?

I haven't been able to find an answer to this question. I know about jQuery Update, but I don't want to update jQuery unless necessary.

Setting "Critical" because I don't know whether my Drupal 7 site is secure.

Comments

AohRveTPV created an issue. See original summary.

ayesh’s picture

ayesh commented

As far as I know, 1.4.4 is the latest patch release of the 1.4 branch.
We can't say Drupal is vulnerable because jQuery is client side code, and there is quite a few places that jQuery is invoked with dynamic data. Ajax requests pops into my head.

Can you post more information on the particular vulnerabilities you have focused on/

aohrvetpv’s picture

aohrvetpv commented

Thanks for the reply. I don't understand why a vulnerability in Drupal's client-side code would not be considered a vulnerability with Drupal. Users can't be expected to disable JavaScript for a site because they realize it is Drupal 7 and it might send them vulnerable code to execute. If, for instance, a site administrator is targeted with an XSS vulnerability, it does not matter whether it was made possible by client- or server-side code. (That said, I don't know whether any of the known jQuery 1.4.4 vulnerabilities actually affect Drupal 7.56.)

A Sonar (https://sonarwhal.com) scan of a Drupal 7 site identified these vulnerabilities due to jQuery 1.4.4:

(Unknown CVE number):
https://snyk.io/vuln/npm:jquery:20150627

CVE-2014-6071:
https://snyk.io/vuln/npm:jquery:20140902

CVE-2011-4969:
https://snyk.io/vuln/npm:jquery:20110606

cilefen’s picture

cilefen commented

There is a way to report security vulnerabilities in Drupal.

mustanggb’s picture

mustanggb commented
Priority: Critical » Normal

Support requests aren't critical.

mrgoodfellow’s picture

mrgoodfellow commented

Is there a security ticket in regards to this issue and jquery version 1.4.4 ?

A security scan identified the following issues with jquery 1.4.4:

http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/
"Fix an XSS attack vector: User ma.la reported a common pattern that many sites are using to select elements using location.hash that allows someone to inject script into the page. This practice seemed widespread enough that we decided to modify the selector recognition to prevent script injection for the most common case. Any string passed to $() cannot contain HTML tags (and thus no script) if it has a “#” character preceding them. See the ticket linked above for more information and a test case."

https://bugs.jquery.com/ticket/11290
Selector interpreted as HTML

XSS via 3rd party text/javascript reponses:
https://github.com/jquery/jquery/issues/2432

This was the scan results against 1.4.4

Is there any official Drupal documentation on jquery ???

cilefen’s picture

cilefen commented
Status: Active » Fixed

Please contact the security team with these concerns if there is no public position on jQuery 1 in Drupal 7.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.