Notice: jQuery CVE-2020-11022
You are viewing documentation for a version of Secret Server that is no longer supported. Delinea supports Secret Server for one year after release. This version has passed that window and will no longer receive updates. We strongly recommend upgrading to a supported version. Visit the current version of this page for the latest documentation.
For release dates, end-of-support timelines, and upgrade guidance, see the Secret Server Product Lifecycle page.
You can view the latest version of the Secret Server documentation here.
For release dates, end-of-support timelines, and upgrade guidance, see the Secret Server Product Lifecycle page.
You can view the latest version of the Secret Server documentation here.
Relevance
This Delineatechnical issue knowledge base article is relevant to:
- Product(s): Secret Server using jQuery 3.2.1
- Version(s): 10.8.000004
- Edition(s): All
Technical Issue
Secret Server 10.8.000004 uses jQuery 3.2.1, which is listed as vulnerable to the jQuery CVE-2020-11022 security issue on the Common Vulnerabilities and Exposures (CVE) list.
Resolution
Delinea removed the jQuery vulnerability from Secret Server's copy of jQuery v3.2.1 by applying a patch (see Related Articles and Resources).
To verify the fix:
-
Navigate to
https://<your_secret_server_URL>/assets/libs/jquery-3.2.1.js -
Open the file in a text editor.
-
Search for the string
htmlPrefilterin the code (line 5919):CopyjQuery.extend( {
htmlPrefilter: function(html) {return html;} -
If the string appears, the patch has been applied.
Related Articles and Resources
The commit shows multiple files, the top file is the security fix, and the bottom files are unit tests for the fix. Secret Server does not ship with any jQuery unit tests.
