Notice: jQuery CVE-2019-11358
You are viewing documentation for a version of Secret Server that is no longer supported. Delinea supports Secret Server for one year after release. This version has passed that window and will no longer receive updates. We strongly recommend upgrading to a supported version. Visit the current version of this page for the latest documentation.
For release dates, end-of-support timelines, and upgrade guidance, see the Secret Server Product Lifecycle page.
You can view the latest version of the Secret Server documentation here.
For release dates, end-of-support timelines, and upgrade guidance, see the Secret Server Product Lifecycle page.
You can view the latest version of the Secret Server documentation here.
Relevance
This Delineatechnical issue knowledge base article is relevant to:
- Product(s): Secret Server using jQuery 3.2.1
- Version(s): 10.7
- Edition(s): All
Technical Issue
Secret Server 10.7 uses jQuery 3.2.1, which is listed as vulnerable to the jQuery CVE-2019-11358 security issue on the Common Vulnerabilities and Exposures (CVE) list.
Resolution
Delinea removed the jQuery vulnerability from Secret Server's copy of jQuery v3.2.1 by applying a patch (see Related Articles and Resources).
To verify the fix:
-
Navigate to
https://<your_secret_server_URL>/assets/libs/jquery-3.2.1.js -
Open the file in a text editor.
-
Search for the string
protoin the code: ...CopyERROR: Invalid Code Highlighting Language -
If the string appears, the patch has been applied.
Related Articles and Resources
The commit shows two files, the top file is the security fix, and the bottom file is a unit test for the fix. Secret Server does not ship with any jQuery unit tests as found in that second file.
