View Issue Details

IDProjectCategoryView StatusLast Update
0024672mantisbtsecuritypublic2019-03-16 20:20
ReporterKyle_Katarn Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.16.0 
Target Version2.20.0Fixed in Version2.20.0 
Summary0024672: Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042)
Description

Mantis is depending on Boostrap 3.3.6 which has some vulnerabilities (3 medium according to Netsparker).
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14042

Consider update to a more recent version.

TagsNo tags attached.

Activities

dregad

dregad

2018-08-16 11:22

developer   ~0060442

Last edited: 2018-08-16 11:32

View 2 revisions

Thanks for the heads up, we'll look into it.

EDIT: After a quick look at changes from 3 to 4, and considering our use of the ACE admin template, this is no small undertaking... don't hold your breath ;-)

atrol

atrol

2018-08-16 11:44

developer   ~0060443

After a quick look at changes from 3 to 4, and considering our use of the ACE admin template, this is no small undertaking

Using 3.4.0 might be an option
https://github.com/twbs/bootstrap/commits/v3.4.0-dev
From what I see, they seem to fix security issues in this branch
https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d

dregad

dregad

2018-08-17 05:14

developer   ~0060446

Using 3.4.0 might be an option

Assuming they ever release it...
https://github.com/twbs/bootstrap/issues/25679

Kyle_Katarn

Kyle_Katarn

2018-08-17 06:22

reporter   ~0060447

Would you please edit my issue's title in order to change it to "Fix CVE-2018-14040, CVE-2018-14041, CVE-2018-14042" ? (which is more relevant)

atrol

atrol

2018-12-30 15:42

developer   ~0061119

PR https://github.com/mantisbt/mantisbt/pull/1432

Kyle_Katarn

Kyle_Katarn

2018-12-30 15:53

reporter   ~0061120

Thanks !!

vboctor

vboctor

2019-02-24 16:39

manager   ~0061568

@atrol should this be applied 2.19.1?

atrol

atrol

2019-02-25 09:55

developer   ~0061571

@vboctor this is a security issue, but I did not investigate if there is a way to use the leak in MantisBT.
I don't expect that backporting to 2.19.1 will break something, but I don't have time for tests.

So the answer is: Maybe ;-)

Related Changesets

MantisBT: master fd56979f

2018-12-30 15:40:02

atrol

Details Diff
Update Bootstrap to 3.4.0

Fixes 0024672
Affected Issues
0024672
mod - core/constant_inc.php Diff File
rm - css/bootstrap-3.3.6.css Diff File
rm - css/bootstrap-3.3.6.min.css Diff File
add - css/bootstrap-3.4.0.css Diff File
add - css/bootstrap-3.4.0.min.css Diff File
rm - js/bootstrap-3.3.6.min.js Diff File
add - js/bootstrap-3.4.0.js Diff File
add - js/bootstrap-3.4.0.min.js Diff File

Issue History

Date Modified Username Field Change
2018-08-16 08:53 Kyle_Katarn New Issue
2018-08-16 11:22 dregad Status new => acknowledged
2018-08-16 11:22 dregad Category bugtracker => security
2018-08-16 11:22 dregad Note Added: 0060442
2018-08-16 11:32 dregad Note Edited: 0060442 View Revisions
2018-08-16 11:44 atrol Note Added: 0060443
2018-08-17 05:14 dregad Note Added: 0060446
2018-08-17 06:22 Kyle_Katarn Note Added: 0060447
2018-08-17 08:13 dregad Summary Update to Boostrap 4.1.3 => Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042)
2018-12-30 15:41 atrol Assigned To => atrol
2018-12-30 15:41 atrol Status acknowledged => assigned
2018-12-30 15:41 atrol Target Version => 2.19.0
2018-12-30 15:42 atrol Note Added: 0061119
2018-12-30 15:53 Kyle_Katarn Note Added: 0061120
2019-01-02 17:32 vboctor Target Version 2.19.0 => 2.20.0
2019-01-06 05:23 atrol Changeset attached => MantisBT master fd56979f
2019-01-06 05:23 atrol Status assigned => resolved
2019-01-06 05:23 atrol Resolution open => fixed
2019-01-06 05:23 atrol Fixed in Version => 2.20.0
2019-02-24 16:39 vboctor Note Added: 0061568
2019-02-25 09:55 atrol Note Added: 0061571
2019-03-16 20:20 vboctor Status resolved => closed