Notice: jQuery CVE-2020-11022
Relevance
This Delineatechnical issue knowledge base article is relevant to:
- Product(s): Secret Server using jQuery 3.2.1
- Version(s): 10.8.000004
- Edition(s): All
Technical Issue
Secret Server 10.8.000004 uses jQuery 3.2.1, which is listed as vulnerable to the jQuery CVE-2020-11022 security issue on the Common Vulnerabilities and Exposures (CVE) list.
Resolution
Delinea removed the jQuery vulnerability from Secret Server's copy of jQuery v3.2.1 by applying a patch (see Related Articles and Resources).
To verify the fix:
-
Navigate to
https://<your_secret_server_URL>/assets/libs/jquery-3.2.1.js -
Open the file in a text editor.
-
Search for the string
htmlPrefilterin the code (line 5919):CopyjQuery.extend( {
htmlPrefilter: function(html) {return html;} -
If the string appears, the patch has been applied.
Related Articles and Resources
The commit shows multiple files, the top file is the security fix, and the bottom files are unit tests for the fix. Secret Server does not ship with any jQuery unit tests.
