REDHAT-BUG-2019148
First published: Mon Nov 01 2021(Updated: )
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. Reference: <a href="https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4">https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4</a> Upstream patch: <a href="https://github.com/jquery/jquery-ui/pull/1953">https://github.com/jquery/jquery-ui/pull/1953</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| jQuery UI | <1.13.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
- https://github.com/jquery/jquery-ui/pull/1953
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2019150
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2019149
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2019151
- https://access.redhat.com/errata/RHSA-2022:4711
- https://access.redhat.com/security/cve/cve-2021-41183
- https://bugzilla.redhat.com/show_bug.cgi?id=2019148
Frequently Asked Questions
What is the severity of REDHAT-BUG-2019148?
REDHAT-BUG-2019148 is classified as a high severity vulnerability due to potential code execution risks.
How do I fix REDHAT-BUG-2019148?
To fix REDHAT-BUG-2019148, upgrade to jQuery UI version 1.13.0 or later.
What are the consequences of not mitigating REDHAT-BUG-2019148?
Not mitigating REDHAT-BUG-2019148 could allow attackers to execute untrusted code through the Datepicker widget.
Which versions of jQuery UI are affected by REDHAT-BUG-2019148?
Versions of jQuery UI prior to 1.13.0 are affected by REDHAT-BUG-2019148.
What components are impacted by REDHAT-BUG-2019148?
The Datepicker widget in jQuery UI that accepts various *Text options from untrusted sources is impacted by REDHAT-BUG-2019148.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-41183
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/jquery
- canonical/jquery ui