Jquery vulnerability on Management Interface web server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Jquery vulnerability on Management Interface web server

L1 Bithead

Hi team

We received this vulnerability in the report by our vendor for our PA

"

According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by a cross site scripting vulnerability

"

and solution for this its saying "Upgrade to JQuery version 3.5.0 or later.".

 

I researched my way through google and only found this helpful

https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings/pan-os-9-0-open-source-software-o...

 

But not getting the precise solution...anyone else faced this?

Current we are running PAN OS 8.1.13

 

Thanks in advance

1 accepted solution

Accepted Solutions

L1 Bithead

Got below UPDATE from TAC-

 

 JQuery -  cross site scripting vulnerability CVE-2020-11022.
> This is a false positive by the vulnerability scanner. Palo Alto Networks Web Mgmt GUI utilises a very lightweight subset of jquery function and does not impact by the CVE reported in jquery.

 

 

 

View solution in original post

3 REPLIES 3

Community Team Member

Hi @shubhamG ,

 

I'd check with support for this one as JQuery isn't even listed on the 8.1 OSS listing. 

It's only listed on the 9.0 and 9.1 OSS lists where it's shown as version 1.12.2

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Got below UPDATE from TAC-

 

 JQuery -  cross site scripting vulnerability CVE-2020-11022.
> This is a false positive by the vulnerability scanner. Palo Alto Networks Web Mgmt GUI utilises a very lightweight subset of jquery function and does not impact by the CVE reported in jquery.

 

 

 

Dear Team,

 

We had already raised(before-2months) about this jquery version vulnerability and PA TAC suggested that below,

=================================================================================
Currently there is no scheduled release date for the JQuery 3.5.X library within PAN-OS however it is is presently going through QA and being evaluated for future release. Please note PAN-OS uses a small subset of the JQuery function and so it is not impacted by the cross-site scripting vulnerability in said JQuery version. In addition engineering released signature coverage for CVE-2020-11022 and CVE-2020-11023 in Content update 8281 with Threat ID 57176 which detects HTTP Cross Site Scripting Vulnerability. Please apply it to traffic including GlobalProtect if you are using it.
=================================================================================

So that time it was under QA testing and there were no ETA provided so please advise for any permanent solution provided for this vulnerability.

 

Thanks,

Best Regards,
Ahmed Sadek
  • 1 accepted solution
  • 11985 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!