JQuery UI security vulnerability CVE-2022-31160 fix for 2.4.4, 2.4.5, and 2.4.6 releases
ÃÛ¶¹ÊÓƵ Commerce versions 2.4.4, 2.4.5, and 2.4.6 use jQuery UI 1.13.1, which has a known security vulnerability (CVE-2022-31160). Although the main jQuery UI file was updated in recent patches, some supplemental files were not. To fully resolve this issue, upgrade to the latest security patch for your version and apply the appropriate composer patch provided in this article.
Description description
Affected products and versions
-
ÃÛ¶¹ÊÓƵ Commerce, on-premises, and Magento Open Source:
- 2.4.4
- 2.4.4-p1
- 2.4.4-p2
- 2.4.4-p3
- 2.4.4-p4
- 2.4.4-p5
- 2.4.5
- 2.4.5-p1
- 2.4.5-p2
- 2.4.5-p3
- 2.4.5-p4
- 2.4.6
- 2.4.6-p1
- 2.4.6-p2
Issue/Symptoms
There is a security vulnerability reported for jQuery-UI library version 1.13.1 which is used as a dependency in ÃÛ¶¹ÊÓƵ Commerce 2.4.4, 2.4.5, and 2.4.6. ÃÛ¶¹ÊÓƵ is not aware of any exploits for this issue. This security vulnerability has been fixed in jQuery-UI library version 1.13.2.
In June 2023 ÃÛ¶¹ÊÓƵ released 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4 security-only patches where jQuery-UI library dependency was upgraded to the latest 1.13.2 version. However, you must apply one of the two patches attached to this article, for a complete fix.
The main jQuery-UI file was upgraded but there were jQuery-UI supplemental module and widget files that were not upgraded. If you are using ÃÛ¶¹ÊÓƵ Commerce 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4 or earlier versions, your security scanners might still observe the jQuery-UI CVE issue.
Attached to this article are two patches, one for 2.4.6 versions and 2.4.5 versions, and another one for 2.4.4 versions, which provide complete upgrade of JQuery-UI library to version 1.13.2.
This issue is going to be fixed in the scope of October 2023 release security patches 2.4.6-p3, 2.4.5-p5, or 2.4.4-p6.
Resolution resolution
Refer to How to apply a composer patch provided by ÃÛ¶¹ÊÓƵ before downloading the appropriate Composer patch for the version you have:
For 2.4.6-p2, 2.4.6-p1, 2.4.5-p4 and 2.4.5-p3 versions:
To resolve this security vulnerability on the 2.4.6-p2, 2.4.6-p1, 2.4.5-p4 and 2.4.5-p3 versions, apply a composer patch .
For 2.4.6, 2.4.5-p2, 2.4.5-p1, 2.4.5, 2.4.4-p3, 2.4.4-p2, 2.4.4-p1, and 2.4.4 versions:
To resolve this security vulnerability on 2.4.6, 2.4.5-p2, 2.4.5-p1, 2.4.5, 2.4.4-p3, 2.4.4-p2, 2.4.4-p1, and 2.4.4, upgrade to a corresponding 2.4.6-p2, 2.4.5-p4 or 2.4.4-p5 security-only patches and apply a composer patch or composer patch depending on your ÃÛ¶¹ÊÓƵ Commerce version.
For 2.4.4-p4 and 2.4.4-p5 versions:
To resolve this security vulnerability on the 2.4.4-p4 and 2.4.4-p5 version, apply a composer patch .