Penetration testing on AEM as a Cloud Service identified two issues | Community
Skip to main content
R
reno1
Level 2
December 18, 2023
Solved

Penetration testing on AEM as a Cloud Service identified two issues

  • December 18, 2023
  • 1 reply
  • 2196 views

When conducting penetration testing on our company's Adobe as a Cloud Service, we identified two vulnerabilities, CVE-2019-11358 and CVE-2020-23064.

I observed that CVE-2019-11358 has been addressed as per the README.md file located at /libs/clientlibs/granite/jquery in CRXDE.

However, there is no record of a fix for CVE-2020-23064 in the official security patch reports.

 

Additionally, despite our project not utilizing jQuery and instead employing React for development,

we suspect that the detection of this vulnerability is linked to system references within AEM (Adobe Experience Manager).

 

CVE-2019-11358:
https://nvd.nist.gov/vuln/detail/CVE-2019-11358

CVE-2020-23064:
https://nvd.nist.gov/vuln/detail/CVE-2020-23064

 

Could you provide records or documentation confirming the resolution of these two issues through the respective fixes?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by arunpatidar

Hi @arunpatidar, is the solution proposed above feasible for AEM as a Cloud Service?


Hi @reno1 
I am not 100% sure, I would recommend to check with Adobe and let them know the intentions, Generally Adobe got these kind of request and they have from past changes knowledge/experience.

They can better guide if it is recommended to change jquery and feasible or not in AEMaaCS.

1 reply

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
December 18, 2023

Hi @reno1 
Please check the comments in the below thread for CVE-2019-11358

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/pen-test-vulnerabilities-for-jquery-used-by-aem/m-p/397684 

Adobe Support confirmed us they've already add the fixes for these issues in their product.

 

However no info available for CVE-2020-23064

 

Arun Patidar
    R
    reno1Author
    Level 2
    December 19, 2023

    The reply in this content mentions:

     

    "Old post, but people still have the same question, and the 'solution' doesn't really solve the problem.

    First, the out-of-the-box (OOTB) version of jQuery is an updated version of v1.12.4, and it already contains fixes for known vulnerabilities. So if you are looking to update jQuery simply to pass a security scan, then you should read this:

    If you still want to use a newer version of jQuery, then the solution is simple.

    1. Create your own clientlib that contains the version of jQuery that you want.
    2. Set the 'categories' property of your clientlib to be "jquery."
    3. Set the 'replaces' property of your clientlib to be "/libs/clientlibs/granite/jquery."

    The key point is to set the 'replaces' property; otherwise, you'll end up loading both the OOTB code and your own version.

     

    Can this fix be applied to AEM as a Cloud Service? Does AEM's underlying system use jQuery? If I upgrade the version to 3.6.0, will it affect AEM's functionality?

      R
      reno1Author
      Level 2
      December 20, 2023

      Hi @arunpatidar, is the solution proposed above feasible for AEM as a Cloud Service?

        Terms & ConditionsAccessibility statement

        Loading footer...