Scanning for vulnerable software has revealed outdated jQuery files in locations like
\Lucee\tomcat\lucee-server\context\library\tag\lucee\core\ajax\js\jquery
\Lucee\tomcat\webapps\ROOT\assets\js\lib
jquery-1.10.1.min.js is an example.
These old jQuery files are still in the latest releases. How can these be updated?
OS: Windows 2019
Java Version: 11.0.23
Tomcat Version: 9.0.89
Lucee Version: 5.4.5.23
You could manaully update the file with what ever version of jquery you want then delete the old jquery file in use, create symlink
You could go fork the project, update the file then create a pull request.
You could file a JIRA issue
Is that jquery version vulnerable or “just” outdated?
The jQuery files are probably just outdated. I suspect that even if they have a Cross-site Scripting (XSS) vulnerability that, being used by the Lucee administrator web site and not publicly exposed, that it doesn’t really matter. However, they have been picked up in a Qualys scan as a level 5 and the security team say to update them or remove them. Qualys may identify them by the file name or by the content.
There are also these files.
“C:\Lucee\tomcat\lucee-server\context\library\tag\build\jquery\jquery-1.12.4.min.js”
“C:\Lucee\tomcat\lucee-server\context\library\tag\lucee\core\ajax\js\jquery\jquery-1.4.2.js”
“C:\Lucee\tomcat\lucee-server\context\library\tag\lucee\core\ajax\js\jquery\jquery-1.8.3.js”
“C:\Lucee\tomcat\lucee-server\context\library\tag\lucee\core\ajax\js\jquery\jquery-ui-1.8.2.js”
“C:\Lucee\tomcat\webapps\ROOT\assets\js\lib\jquery-1.10.1.min.js”
These don’t look like jQuery but have jQuery in the file name.
“C:\Lucee\tomcat\lucee-server\context\library\tag\lucee\core\ajax\js\jquery\jquery.layout.js”
“C:\Lucee\tomcat\lucee-server\context\library\tag\lucee\core\ajax\js\jquery\jquery.window.js”
I’ve updated locally these old jQuery files (and Bootstrap 3 as well) and all works fine for the /webapps/ROOT/ website.
See here: Lucee default welcome page changes
Furthermore the jQuery UI 1.10.x version also needs to be updated in the Admin, to at least 1.13.x!
The contents of recent versions of jQuery at Download jQuery | jQuery don’t look similar to the old.
The upgrade procedure on the site is not well documented with simple statements like below:-
The jQuery Migrate plugin simplifies upgrading from older versions of jQuery. The plugin restores deprecated features and behaviors so that older code will still run properly on newer versions of jQuery.
When upgrading from a pre-1.9 jQuery version to jQuery 1.9 or up to jQuery 3.0, first use jQuery Migrate 1.x:
Lucee has single JS files like “jquery-ui-1.8.2.js” but the download at Download Builder | jQuery UI has many files.
Without having instructions as to what file to be replaced with what, obtainable from where, I will leave it up to the Lucee developers to update the admin site.