Secret Server

11.8.x

Heading link
copied to clipboard

Notice: jQuery CVE-2019-11358

Relevance

This Delineatechnical issue knowledge base article is relevant to:

Product(s): Secret Server using jQuery 3.2.1
Version(s): 10.7
Edition(s): All

Technical Issue

Secret Server 10.7 uses jQuery 3.2.1, which is listed as vulnerable to the jQuery CVE-2019-11358 security issue on the Common Vulnerabilities and Exposures (CVE) list.

Resolution

Delinea removed the jQuery vulnerability from Secret Server's copy of jQuery v3.2.1 by applying a patch (see Related Articles and Resources).

To verify the fix:

Navigate to https://<your_secret_server_URL>/assets/libs/jquery-3.2.1.js
Open the file in a text editor.
Search for the string proto in the code: ...

Copy

ERROR: Invalid Code Highlighting Language
If the string appears, the patch has been applied.

Related Articles and Resources

The commit shows two files, the top file is the security fix, and the bottom file is a unit test for the fix. Secret Server does not ship with any jQuery unit tests as found in that second file.

Common Vulnerabilities and Exposures (CVE) list

In this Article