[DRAFT] [META] Drupal 7 policy on jQuery related vulnerabilities

Open on Drupal.org →

Created on 1 October 2024, 4 months ago

Drupal 7 core ships with an old version of jQuery and few related libraries.

Security scanning tools will flag D7 sites as vulnerable to a handful of CVEs relating to these old versions.

Most of the CVEs have been mitigated in Drupal 7 core, for example:

SA-CORE-2013-001 mitigates CVE-2011-4969
SA-CORE-2018-001 mitigates CVE-2015-9251 (and CVE-2017-16012)
SA-CORE-2019-006 mitigates CVE-2019-11358 and CVE-2019-5428
SA-CORE-2020-002 mitigates CVE-2020-11022 and CVE-2020-11023

There are some jQuery related CVEs not included in this list, which the Drupal core maintainers and Drupal Security Team believe are not valid vulnerabilities in the context of D7 - for example CVE-2014-6071.

If you are concerned about a jQuery related vulnerability affecting your Drupal 7 site, the recommended solution is to use the jQuery Update module to utilise a recent release of jQuery (and/or related libraries) where the vulnerability has been addressed upstream.

The jQuery Update module manages the following libraries, and allows them to be updated to any version available:

jQuery
jQuery UI
jQuery Cookie
jQuery Form
jQuery Migrate

For more details see the project page at: https://www.drupal.org/project/jquery_update →

📌 Task

Status

Active

Version

7.0 ⚰️

Component

documentation

Created by

🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

Live updates comments and jobs are added and updated live.

D7

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Issue created by @mcdruid
Comment 4 months ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Comment 4 months ago →
🇸🇰Slovakia poker10
Thanks for drafting this, looks good to me!
Comment 4 months ago →
🇩🇪Germany Fabianx
mcdruid → credited Fabianx → .
Comment 4 months ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Comment 4 months ago →
🇪🇪Estonia ram4nd Tallinn
Why is this marked fixed?
Comment 3 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.
Status changed to Fixed about 2 months ago11:36am 19 December 2024
Comment about 2 months ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
@ram4nd apologies for missing your comment.

If you can demonstrate an exploitable vulnerability that arises from e.g. having the old copy of jQuery in D7 core when it's not actually used by the application (which uses up-to-date jQuery libraries via jQuery Update), could you please report that in private to the Drupal Security Team? Thanks!

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024