Task #11399
Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation
Pentest_Web_ADMIN (H2) - Using Components with Known Vulnerabilities
Status: | Work Completed-End life cycle | Start date: | January 07, 2021 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | Pentest | Spent time: | - | |
Target version: | - |
Description
During the application test, LGMS security team observed that the libraries and web server used by the application are not up to date. Outdated libraries and web server might pose serious security issues and allow an attacker to easily identify or exploit the security issue using automated tools.
jquery 3.4.0.min
The library jquery version 3.4.0.min has known security issues. For more information, visit this website:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
jquery 2.1.1.min
The library jquery version 2.1.1.min has known security issues. For more information, visit those websites:
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Potentially vulnerable
Servlet 3.1
The component Servlet 3.1 has known security issue. For more information, visit this website:
https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-http2-implementation-used-websphere-application-server-liberty
Note: The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered as false positive.
Solution given :
1. Identify all components and the versions that the application is using, including all dependencies (e.g., the versions plugin). It is advisable to update the components if it is not up to date.
2. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date.
Subtasks
History
#1 Updated by Nurul Athira Abdul Rahim almost 4 years ago
- Subject changed from Pentest_Web_ADMIN (H2) - to Pentest_Web_ADMIN (H2) - Using Components with Known Vulnerabilities
#2 Updated by Najmi Pasarudin almost 4 years ago
Pentest cycle 1 already requires to update Jquery to version 3.4.
Changing again to version 3.5 will take more time and testing due to IBAM template compatibility.
#3 Updated by Najmi Pasarudin over 3 years ago
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
Hi Athira, please divide as sub-tasks
#4 Updated by Nurul Athira Abdul Rahim over 3 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
#5 Updated by Nurul Athira Abdul Rahim about 3 years ago
- Status changed from Development / Work In Progress to Work Completed-End life cycle
1st assessment pentest expired.
Pending for 2nd scanning report