View Issue Details

IDProjectCategoryView StatusLast Update
0024672mantisbtsecuritypublic2019-09-20 10:26
ReporterKyle_Katarn Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.16.0 
Target Version2.20.0Fixed in Version2.20.0 
Summary0024672: Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042)
Description

Mantis is depending on Boostrap 3.3.6 which has some vulnerabilities (3 medium according to Netsparker).
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14042

Consider update to a more recent version.

TagsNo tags attached.

Relationships

related to 0026160 closeddregad Update bundled Bootstrap to 3.4.1 (CVE-2019-8331) 

Activities

dregad

dregad

2018-08-16 11:22

developer   ~0060442

Last edited: 2018-08-16 11:32

Thanks for the heads up, we'll look into it.

EDIT: After a quick look at changes from 3 to 4, and considering our use of the ACE admin template, this is no small undertaking... don't hold your breath ;-)

atrol

atrol

2018-08-16 11:44

developer   ~0060443

After a quick look at changes from 3 to 4, and considering our use of the ACE admin template, this is no small undertaking

Using 3.4.0 might be an option
https://github.com/twbs/bootstrap/commits/v3.4.0-dev
From what I see, they seem to fix security issues in this branch
https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d

dregad

dregad

2018-08-17 05:14

developer   ~0060446

Using 3.4.0 might be an option

Assuming they ever release it...
https://github.com/twbs/bootstrap/issues/25679

Kyle_Katarn

Kyle_Katarn

2018-08-17 06:22

reporter   ~0060447

Would you please edit my issue's title in order to change it to "Fix CVE-2018-14040, CVE-2018-14041, CVE-2018-14042" ? (which is more relevant)

atrol

atrol

2018-12-30 15:42

developer   ~0061119

PR https://github.com/mantisbt/mantisbt/pull/1432

Kyle_Katarn

Kyle_Katarn

2018-12-30 15:53

reporter   ~0061120

Thanks !!

vboctor

vboctor

2019-02-24 16:39

manager   ~0061568

@atrol should this be applied 2.19.1?

atrol

atrol

2019-02-25 09:55

developer   ~0061571

@vboctor this is a security issue, but I did not investigate if there is a way to use the leak in MantisBT.
I don't expect that backporting to 2.19.1 will break something, but I don't have time for tests.

So the answer is: Maybe ;-)

Related Changesets

MantisBT: master fd56979f

2018-12-30 10:40

atrol


Details Diff
Update Bootstrap to 3.4.0

Fixes 0024672
Affected Issues
0024672
mod - core/constant_inc.php Diff File
rm - css/bootstrap-3.3.6.css Diff
rm - css/bootstrap-3.3.6.min.css Diff
add - css/bootstrap-3.4.0.css Diff File
add - css/bootstrap-3.4.0.min.css Diff File
rm - js/bootstrap-3.3.6.min.js Diff
add - js/bootstrap-3.4.0.js Diff File
add - js/bootstrap-3.4.0.min.js Diff File