Security vulnerability from jquery - CVE-2020-11023

rafgonsi · October 27, 2021, 1:15pm

While performing security scan of my application I discovered that when I install panel, it also installs some vulnerable js packages, like jQuery 3.4.1. It has a known vulnerability CVE-2020-11023. This vulnerability was already fixed in jQuery 3.5.0.

The jQuery files are located inside panel directory:

# find /opt/conda -name *jquery*
/opt/conda/lib/python3.7/site-packages/panel/dist/bundled/plotlyplot/jquery-3.4.1.min.js
/opt/conda/lib/python3.7/site-packages/panel/dist/bundled/goldentemplate/jquery-1.11.1.min.js
/opt/conda/lib/python3.7/site-packages/panel/dist/bundled/bootstraptemplate/jquery-3.4.1.slim.min.js

Question:
Is there a way of controlling versions of js packages required by panel? How could I change them?

Marc · October 27, 2021, 3:40pm

Thanks for reporting this @rafgonsi.

You would probably have to get Panel updated. The steps would be

Create a bug report on github
Make a PR with the corrections for Panel.

If I search through the panel code if find the below.

Whatever is in .py and .html files can just be updated. The package-lock.json probably needs to be updated via some npm command???

Marc · October 27, 2021, 3:43pm

If you need a here and now solution you could replace the existing jquery files by

Download the updated jquery files.
rename them to the existing jquery file names and move them into some subfolder of the dist folder in your Panel python package.

Marc · October 27, 2021, 3:53pm

@rafgonsi . I’ve reported the issue/ bug here JQuery needs update · Issue #2860 · holoviz/panel (github.com)

philippjfr · November 5, 2021, 9:45am

Fixed here https://github.com/holoviz/panel/pull/2885. Will push that out as part of a 0.12.5 release.