Task #11407
Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation
Pentest_Web_CDB (H2) - Using Components with Known Vulnerabilities
Status: | Work Completed-End life cycle | Start date: | December 01, 2020 | |
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | Pentest | Spent time: | - | |
Target version: | - |
Description
During the application test, LGMS security team observed that the [plugins][libraries][web server] used by the application are not up to date. Outdated [plugins][libraries][web server] might pose serious security issues and allow an attacker to easily identify or exploit the security issue using automated tools.
bootstrap 4.1.1
The library bootstrap version 4.1.1 has known security issues. For more information, visit this website:
https://github.com/twbs/bootstrap/issues/28236
ckeditor 4.8.0
The library ckeditor version 4.8.0 has known security issues. For more information, visit these websites:
https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/
https://ckeditor.com/cke4/release-notes
jquery 3.4.0.min
The library jquery version 3.4.0.min has known security issues. For more information, visit this website::
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Potentially vulnerable
Servlet 3.1
The component Servlet 3.1 has known security issue. For more information, visit this website:
https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-http2-implementation-used-websphere-application-server-liberty
Note: The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered as false positive.
Given solution :
1. Identify all components and the versions that the application is using, including all dependencies (e.g., the versions plugin). It is advisable to update the components if it is not up to date.
2. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date.
Subtasks
History
#1 Updated by Najmi Pasarudin almost 4 years ago
Pentest cycle 1 already requires to update Jquery to version 3.4.
Changing again to version 3.5 will take more time and testing due to IBAM template compatibility.
#2 Updated by Najmi Pasarudin over 3 years ago
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
Hi Athira, please divide as sub-tasks
#3 Updated by Nurul Athira Abdul Rahim over 3 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
#4 Updated by Nurul Athira Abdul Rahim about 3 years ago
- Status changed from Development / Work In Progress to Work Completed-End life cycle
Updated from JTM :
1st assessment pentest expired.
Pending for 2nd scanning report