Описание
Уязвимость библиотеки jQuery сязана с непринятием мер по защите структуры веб-страницы. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, оказать воздействие на целостность защищаемой информации
Вендор
Сообщество свободного программного обеспечения
Oracle Corp.
ООО «РусБИТех-Астра»
Novell Inc.
Fedora Project
Red Hat Inc.
The jQuery Foundation
АО "НППКТ"
АО «НТЦ ИТ РОСА»
АО «Концерн ВНИИНС»
Moxa Inc.
Наименование ПО
Debian GNU/Linux
WebLogic Server
Retail Back Office
Retail Central Office
Retail Returns Management
PeopleSoft Enterprise PeopleTools
Astra Linux Special Edition
WebCenter Sites
Oracle JDeveloper
Astra Linux Common Edition
Communications Application Session Controller
Communications Operations Monitor
OpenSUSE Leap
Application Testing Suite
Fedora
Insurance Allocation Manager for Enterprise Profitability
Hyperion Financial Repoting
Oracle Policy Automation Connector for Siebel
Astra Linux Special Edition для «Эльбрус»
PeopleSoft Enterprise HCM Human Resources
Oracle Hospitality Materials Control
Oracle Healthcare Foundation
Oracle Agile Product Lifecycle Management for Process
Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Market Risk Measurement and Management
Oracle Communications Element Manager
Oracle Communications Session Report Manager
Oracle Communications Session Route Manager
Oracle Banking Enterprise Collections
Primavera Gateway
Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Hedge Management and IFRS Valuations
Financial Services Balance Sheet Planning
Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Asset Liability Management
Financial Services Profitability Management
Financial Services Funds Transfer Pricing
Financial Services Price Creation and Discovery
Openshift Service Mesh
Enterprise Manager Ops Center
Financial Services Analytical Applications Infrastructure
Oracle FLEXCUBE Private Banking
Communications Billing and Revenue Management
Oracle Communications Interactive Session Recorder
Communications Analytics
Communications Diameter Signaling Router
Oracle Banking Digital Experience
REST Data Services
Banking Platform
Communications WebRTC Session Controller
Oracle Hospitality Simphony
A-MQ Interconnect
Financial Services Institutional Performance Analytics
Insurance Insbridge Rating and Underwriting
jQuery
Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Data Foundation
Oracle Financial Services Data Integration Hub
Insurance Accounting Analyzer
Oracle Insurance Data Foundation
Oracle Policy Automation
Oracle Policy Automation for Mobile Devices
Oracle Retail Customer Management and Segmentation Foundation
Siebel UI Framework
JD Edwards EnterpriseOne Orchestrator
StorageTek Tape Analytics SW Tool
JD Edwards EnterpriseOne Tools
Transportation Management
Siebel Mobile Applications
ОСОН ОСнова Оnyx
РОСА Кобальт
ОС ОН «Стрелец»
OnCell 3120-LTE-1
Версия ПО
9 (Debian GNU/Linux)
10.3.6.0.0 (WebLogic Server)
12.1.3.0.0 (WebLogic Server)
14.0 (Retail Back Office)
14.1 (Retail Back Office)
14.0 (Retail Central Office)
14.1 (Retail Central Office)
14.0 (Retail Returns Management)
14.1 (Retail Returns Management)
8.56 (PeopleSoft Enterprise PeopleTools)
8.57 (PeopleSoft Enterprise PeopleTools)
1.6 «Смоленск» (Astra Linux Special Edition)
8.0 (Debian GNU/Linux)
12.2.1.3.0 (WebLogic Server)
12.2.1.3.0 (WebCenter Sites)
12.2.1.3.0 (Oracle JDeveloper)
2.12 «Орёл» (Astra Linux Common Edition)
3.8.0 (Communications Application Session Controller)
3.4 (Communications Operations Monitor)
15.1 (OpenSUSE Leap)
13.3.0.1 (Application Testing Suite)
10 (Debian GNU/Linux)
31 (Fedora)
8.0.8 (Insurance Allocation Manager for Enterprise Profitability)
11.1.2.4 (Hyperion Financial Repoting)
10.4.6 (Oracle Policy Automation Connector for Siebel)
12.2.1.4.0 (WebLogic Server)
8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»)
9.2 (PeopleSoft Enterprise HCM Human Resources)
18.1 (Oracle Hospitality Materials Control)
7.1.1 (Oracle Healthcare Foundation)
6.2.0.0 (Oracle Agile Product Lifecycle Management for Process)
8.0.7 (Oracle Financial Services Liquidity Risk Measurement and Management)
8.0.8 (Oracle Financial Services Liquidity Risk Measurement and Management)
8.0.6 (Oracle Financial Services Market Risk Measurement and Management)
8.0.8 (Oracle Financial Services Market Risk Measurement and Management)
32 (Fedora)
8.58 (PeopleSoft Enterprise PeopleTools)
8.1.1 (Oracle Communications Element Manager)
8.2.0 (Oracle Communications Element Manager)
8.1.1 (Oracle Communications Session Report Manager)
8.2.0 (Oracle Communications Session Report Manager)
8.1.1 (Oracle Communications Session Route Manager)
8.2.0 (Oracle Communications Session Route Manager)
2.7.0 (Oracle Banking Enterprise Collections)
2.8.0 (Oracle Banking Enterprise Collections)
от 16.2.0 до 16.2.11 включительно (Primavera Gateway)
8.0.6 (Oracle Financial Services Liquidity Risk Management)
от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Hedge Management and IFRS Valuations)
8.0.8 (Financial Services Balance Sheet Planning)
от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Loan Loss Forecasting and Provisioning)
8.0.6 (Oracle Financial Services Asset Liability Management)
8.0.7 (Oracle Financial Services Asset Liability Management)
8.0.6 (Financial Services Profitability Management)
8.0.7 (Financial Services Profitability Management)
8.0.6 (Financial Services Funds Transfer Pricing)
8.0.7 (Financial Services Funds Transfer Pricing)
8.0.7 (Financial Services Price Creation and Discovery)
1.0 (Openshift Service Mesh)
15.2 (OpenSUSE Leap)
8.2.1 (Oracle Communications Element Manager)
8.2.1 (Oracle Communications Session Report Manager)
8.2.1 (Oracle Communications Session Route Manager)
14.1.1.0.0 (WebLogic Server)
12.4.0.0 (Enterprise Manager Ops Center)
от 8.0.6 до 8.1.0 включительно (Financial Services Analytical Applications Infrastructure)
12.0.0 (Oracle FLEXCUBE Private Banking)
12.1.0 (Oracle FLEXCUBE Private Banking)
от 17.12.0 до 17.12.7 включительно (Primavera Gateway)
от 18.8.0 до 18.8.9 включительно (Primavera Gateway)
от 19.12.0 до 19.12.4 включительно (Primavera Gateway)
7.5.0.23.0 (Communications Billing and Revenue Management)
12.0.0.3.0 (Communications Billing and Revenue Management)
12.2.1.4.0 (WebCenter Sites)
от 6.1. до 6.4 включительно (Oracle Communications Interactive Session Recorder)
12.1.1 (Communications Analytics)
от 8.0.0 до 8.2.2 включительно (Communications Diameter Signaling Router)
18.1 (Oracle Banking Digital Experience)
18.2 (Oracle Banking Digital Experience)
18.3 (Oracle Banking Digital Experience)
19.1 (Oracle Banking Digital Experience)
19.2 (Oracle Banking Digital Experience)
20.1 (Oracle Banking Digital Experience)
11.2.0.4 (REST Data Services)
12.1.0.2 (REST Data Services)
12.2.0.1 (REST Data Services)
18c (REST Data Services)
от 2.4.0 до 2.10.0 включительно (Banking Platform)
33 (Fedora)
7.2 (Communications WebRTC Session Controller)
18.1 (Oracle Hospitality Simphony)
18.2 (Oracle Hospitality Simphony)
от 19.1.0 до 19.1.2 включительно (Oracle Hospitality Simphony)
1.y for RHEL 7 (A-MQ Interconnect)
8.0.6 (Financial Services Institutional Performance Analytics)
8.1.0 (Financial Services Institutional Performance Analytics)
8.0.6 (Financial Services Price Creation and Discovery)
от 5.0.0.0 до 5.6.0.0 включительно (Insurance Insbridge Rating and Underwriting)
5.6.1.0 (Insurance Insbridge Rating and Underwriting)
19c (REST Data Services)
7.2.0 (Oracle Healthcare Foundation)
7.2.1 (Oracle Healthcare Foundation)
7.3.0 (Oracle Healthcare Foundation)
от 1.2 до 3.5.0 (jQuery)
8.4 (Oracle Enterprise Session Border Controller)
от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Analytical Applications Reconciliation Framework)
8.1.0 (Oracle Financial Services Analytical Applications Reconciliation Framework)
8.1.0 (Oracle Financial Services Asset Liability Management)
8.1.0 (Oracle Financial Services Basel Regulatory Capital Basic)
от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Basel Regulatory Capital Basic)
от 8.0.6 до 8.0.8 включительно (Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach)
8.1.0 (Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach)
от 8.0.6 до 8.1.0 включительно (Oracle Financial Services Data Foundation)
8.0.6 (Oracle Financial Services Data Integration Hub)
8.0.7 (Oracle Financial Services Data Integration Hub)
8.1.0 (Oracle Financial Services Data Integration Hub)
8.1.0 (Financial Services Funds Transfer Pricing)
8.1.0 (Oracle Financial Services Hedge Management and IFRS Valuations)
8.0.7 (Financial Services Institutional Performance Analytics)
8.1.0 (Oracle Financial Services Liquidity Risk Measurement and Management)
8.1.0 (Oracle Financial Services Loan Loss Forecasting and Provisioning)
8.1.0 (Financial Services Profitability Management)
8.0.9 (Insurance Accounting Analyzer)
8.1.0 (Insurance Allocation Manager for Enterprise Profitability)
от 8.0.6 до 8.1.0 включительно (Oracle Insurance Data Foundation)
11.1.1.9.0 (Oracle JDeveloper)
12.2.1.4.0 (Oracle JDeveloper)
от 12.2.0 до 12.2.20 включительно (Oracle Policy Automation)
от 12.2.0 до 12.2.20 включительно (Oracle Policy Automation for Mobile Devices)
19.0 (Oracle Retail Customer Management and Segmentation Foundation)
до 20.8 (Siebel UI Framework)
от 4.1 до 4.3 включительно (Communications Operations Monitor)
до 9.2.5.1 (JD Edwards EnterpriseOne Orchestrator)
2.3.1 (StorageTek Tape Analytics SW Tool)
до 9.2.5.0 (JD Edwards EnterpriseOne Tools)
6.1 (Oracle Agile Product Lifecycle Management for Process)
1.4.3 (Transportation Management)
до 20.12 включительно (Siebel Mobile Applications)
1.7 (Astra Linux Special Edition)
4.7 (Astra Linux Special Edition)
до 2.1 (ОСОН ОСнова Оnyx)
7.9 (РОСА Кобальт)
до 16.01.2023 (ОС ОН «Стрелец»)
до 2.3 включительно (OnCell 3120-LTE-1)
Тип ПО
Операционная система
Сетевое программное средство
Прикладное ПО информационных систем
Программное средство защиты
ПО сетевого программно-аппаратного средства
Сетевое средство
Операционные системы и аппаратные платформы
Сообщество свободного программного обеспечения Debian GNU/Linux 9
ООО «РусБИТех-Астра» Astra Linux Special Edition 1.6 «Смоленск»
Сообщество свободного программного обеспечения Debian GNU/Linux 8.0
ООО «РусБИТех-Астра» Astra Linux Common Edition 2.12 «Орёл»
Novell Inc. OpenSUSE Leap 15.1
Сообщество свободного программного обеспечения Debian GNU/Linux 10
Fedora Project Fedora 31
ООО «РусБИТех-Астра» Astra Linux Special Edition для «Эльбрус» 8.1 «Ленинград»
Fedora Project Fedora 32
Novell Inc. OpenSUSE Leap 15.2
Fedora Project Fedora 33
ООО «РусБИТех-Астра» Astra Linux Special Edition 1.7
ООО «РусБИТех-Астра» Astra Linux Special Edition 4.7
АО «НТЦ ИТ РОСА» РОСА Кобальт 7.9
АО «Концерн ВНИИНС» ОС ОН «Стрелец» до 16.01.2023
Уровень опасности уязвимости
Средний уровень опасности (базовая оценка CVSS 2.0 составляет 6,4)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 6,1)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для jQuery:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Для программных продуктов Oracle Corp.:
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2020-11022
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2020-11022
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2020-11022/
Для Fedora Project:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/
Для Moxa:
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-244707-oncell-3120-lte-1-series-multiple-jquery-vulnerabilities
Для Astra Linux:
Использование рекомендаций производителя:
https://wiki.astralinux.ru/astra-linux-se16-bulletin-20210730SE16
https://wiki.astralinux.ru/pages/viewpage.action?pageId=47416144
https://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2022-0114SE47
Для ОСОН Основа:
Обновление программного обеспечения jquery до версии 3.3.1~dfsg-3+deb10u1
Для ОС ОН «Стрелец»:
Обновление программного обеспечения jquery до версии 3.1.1-2+deb9u2
Для ОС РОСА "КОБАЛЬТ": https://abf.rosa.ru/advisories/ROSA-SA-2025-2760
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Существует в открытом доступе
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 89%
0.04682
Низкий
6.1 Medium
CVSS3
5.8 Medium
CVSS2
Связанные уязвимости
CVSS3: 6.9
ubuntu
около 5 лет назад
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVSS3: 6.1
redhat
около 5 лет назад
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVSS3: 6.9
nvd
около 5 лет назад
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVSS3: 6.9
debian
около 5 лет назад
In jQuery versions greater than or equal to 1.2 and before 3.5.0, pass ...
EPSS
Процентиль: 89%
0.04682
Низкий
6.1 Medium
CVSS3
5.8 Medium
CVSS2