Adobe Experience Manager Sites & More

reno1 · 12/17/23

When conducting penetration testing on our company's Adobe as a Cloud Service, we identified two vulnerabilities, CVE-2019-11358 and CVE-2020-23064.

I observed that CVE-2019-11358 has been addressed as per the README.md file located at /libs/clientlibs/granite/jquery in CRXDE.

However, there is no record of a fix for CVE-2020-23064 in the official security patch reports.

Additionally, despite our project not utilizing jQuery and instead employing React for development,

we suspect that the detection of this vulnerability is linked to system references within AEM (Adobe Experience Manager).

CVE-2019-11358:
https://nvd.nist.gov/vuln/detail/CVE-2019-11358

CVE-2020-23064:
https://nvd.nist.gov/vuln/detail/CVE-2020-23064

Could you provide records or documentation confirming the resolution of these two issues through the respective fixes?

arunpatidar · 12/20/23

Hi @reno1
I am not 100% sure, I would recommend to check with Adobe and let them know the intentions, Generally Adobe got these kind of request and they have from past changes knowledge/experience.

They can better guide if it is recommended to change jquery and feasible or not in AEMaaCS.

Arun Patidar

View solution in original post

arunpatidar · 12/18/23

Hi @reno1
Please check the comments in the below thread for CVE-2019-11358

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/pen-test-vulnerabilities-f...

Adobe Support confirmed us they've already add the fixes for these issues in their product.

However no info available for CVE-2020-23064

Arun Patidar

reno1 · 12/18/23

The reply in this content mentions:

"Old post, but people still have the same question, and the 'solution' doesn't really solve the problem.

First, the out-of-the-box (OOTB) version of jQuery is an updated version of v1.12.4, and it already contains fixes for known vulnerabilities. So if you are looking to update jQuery simply to pass a security scan, then you should read this:

If you still want to use a newer version of jQuery, then the solution is simple.

Create your own clientlib that contains the version of jQuery that you want.
Set the 'categories' property of your clientlib to be "jquery."
Set the 'replaces' property of your clientlib to be "/libs/clientlibs/granite/jquery."

The key point is to set the 'replaces' property; otherwise, you'll end up loading both the OOTB code and your own version.

Can this fix be applied to AEM as a Cloud Service? Does AEM's underlying system use jQuery? If I upgrade the version to 3.6.0, will it affect AEM's functionality?

reno1 · 12/20/23

Hi @arunpatidar, is the solution proposed above feasible for AEM as a Cloud Service?

arunpatidar · 12/20/23

Hi @reno1
I am not 100% sure, I would recommend to check with Adobe and let them know the intentions, Generally Adobe got these kind of request and they have from past changes knowledge/experience.

They can better guide if it is recommended to change jquery and feasible or not in AEMaaCS.

Adobe Experience Manager Sites & More

Penetration testing on AEM as a Cloud Service identified two issues

Arun Patidar

Arun Patidar

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe