Upgrade to jQuery v3.4.1+ - DevExpress Controls

ASP.NET Team Blog
11 June 2019

In late March 2019, a new medium-level jQuery security vulnerability was disclosed.

This vulnerability is specific for jQuery versions older than v3.4.0 and we encourage you to upgrade to jQuery v3.4.1+.

In this post, I'll discuss why you should update both your jQuery and DevExpress installation.

jQuery Prototype Pollution

The new jQuery 'prototype pollution' vulnerability can be dangerous to your websites because:

This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype. When that happens, properties that are controlled by the attacker can be injected into objects and then either lead to denial of service by triggering JavaScript exceptions, or tamper with the application source code to force the code path that the attacker injects. - Liran Tal

Specifically, the jQuery.extend() method is affected:

"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype." - CVE-2019-11358 Detail

For more information on this vulnerability, please refer to the following posts:

DevExtreme, Web Reports, & Dashboards

This vulnerability affects customers who use DevExtreme, Web Reports, or Dashboards.

Our DevExtreme components use the aforementioned jQuery.extend() method. Since DevExpress Web Reports and Dashboards use the DevExtreme widgets, they are also affected by this vulnerability.

The good news: this vulnerability has been fixed in jQuery v3.4.1+. As such, we've updated the following versions of our product suite:

  • v18.1.12
  • v18.2.9
  • v19.1.4

I recommend that you install our update - this will be the easiest way to move to jQuery v3.4.1.

Our ASP.NET MVC extensions do not use the jQuery.extend() method and subsequently, are not affected. However, for safety and consistency, we've upgraded the jQuery version used by our ASP.NET MVC library as well.

Upgrade npm packages

The following Dashboards and Web Reports npm packages are also affected:

  • @devexpress/analytics-core,
  • devexpress-reporting, and
  • devexpress-dashboard.

These packages have jQuery dependency version >= 3.3.1. Please run the following command and it'll update your jQuery to the latest version:

npm i jquery

If you encounter any issues, please contact our support team for immediate assistance.

4 comment(s)
Rustamer
Rustamer

19.1.4? Running ahead of the locomotive) Publish it now and not next week ;)

11 June, 2019
Mehul Harry (DevExpress)
Mehul Harry (DevExpress)

Hi @Customer37575, we'll publish v19.1.4 soon but we wanted to get the word out about this issue.

Btw, if you'd like, you can set your name and profile for the blogs here:

www.devexpress.com/MyAccount

11 June, 2019
Wojciech
Wojciech

What about ASP.NET WebForms for Bootstrap?

11 June, 2019
Vladimir Frizen (DevExpress)
Vladimir Frizen (DevExpress)

Hi Wojciech,

We upgraded jQuery in all ASP.NET WebFomrs product, including ASP.NET WebForms for Bootstrap.

13 June, 2019

Please login or register to post comments.