Task #12558

Task #12556: Pentest - 2nd Assessment [2021]

Pentest_IBAM - Using Components with Known Vulnerabilities [MED]

Added by Nurul Athira Abdul Rahim almost 3 years ago. Updated about 2 years ago.

Status:Work Completed-End life cycleStart date:November 08, 2021
Priority:NormalDue date:
Assignee:Nurul Athira Abdul Rahim% Done:

90%

Category:Penetration Test IssueSpent time:-
Target version:-

Description

During the application test, LGMS security team observed that the libraries used by the application are not up to date. Outdated libraries might pose serious security issues and allow an attacker to easily identify or exploit the security issue using automated tools.

bootstrap 4.1.1
The library bootstrap version 4.1.1 has known security issues. For more information, visit this website:

https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agetbootstrap%3Abootstrap%3A4.1.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*

jquery ui 1.10.3
The library jquery UI version 1.10.3 has known security issues. For more information, visit those websites:
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Ajquery%3Ajquery_ui%3A1.10.3%3A*%3A*%3A*%3A*%3A*%3A*%3A*

Note: The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered as false positive.

Solution provided by LGMS :
1. Identify all components and the versions that the application is using, including all dependencies (e.g., the versions plugin). It is advisable to update the components if it is not up to date.

2. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date.

'Affected Components:
https://10.10.55.34:9444/bsn-admin-uat/js/libs/jquery-ui-1.10.3.min.js
https://10.10.55.34:9444/bsn-admin-uat/assets/plugins/bootstrap/js/bootstrap.bundle.min.js

sc2.png (74.3 KB) Najmi Pasarudin, December 10, 2021 09:53

History

#1 Updated by Nurul Athira Abdul Rahim almost 3 years ago

  • Subject changed from Pentest_IBAM - Using Components with Known Vulnerabilities [LOW] to Pentest_IBAM - Using Components with Known Vulnerabilities [MED]

#2 Updated by Najmi Pasarudin almost 3 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress

#3 Updated by Najmi Pasarudin almost 3 years ago

  • File sc2.png added
  • % Done changed from 0 to 90
Updates, refer to sc2.png
  1. Bootstrap 4.1.1 > 4.6.1
  2. jquery-ui 1.10.3 > 1.13.0

#4 Updated by Najmi Pasarudin almost 3 years ago

  • Status changed from Development / Work In Progress to Internal Testing
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim

#5 Updated by Nurul Athira Abdul Rahim almost 3 years ago

  • Status changed from Internal Testing to System Integration Test

#6 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from System Integration Test to Pending Prod Deployment
  • Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin

#7 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from Pending Prod Deployment to Pending Review
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim

Production deployed on 4/3/2022

#8 Updated by Nurul Athira Abdul Rahim about 2 years ago

  • Status changed from Pending Review to Work Completed-End life cycle

Also available in: Atom PDF