[BUG] Beaker is vulnerable to jquery multiple XSS - CVE-2020-11022 and CVE-2020-11023

[desnesn]

DESCRIPTION
The systems on my company are scanned for security vulnerabilities and beaker has been triggered vulnerable to CVE-2020-11022 and CVE-2020-11023 associated with multiple XSS on jquery.

Port: 443/tcp
Severity: Medium
Summary: The remote web server is affected by multiple cross site scripting vulnerability.
Details: According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities. Note, the vulnerabilities referenced in this plugin have no security impact on PAN-OS, and/or the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.
Fix: Upgrade to JQuery version 3.5.0 or later.
Extra info:

URL               : https://<beaker.fqdn>/static/javascript/jquery-2.0.2.min.js
Installed version : 2.0.2
Fixed version     : 3.5.0

VERSION-RELEASE NUMBER
On the customer portal (https://access.redhat.com/solutions/32036) Red Hat said that jquery is not maintained on RHEL-7, thus the solution pages suggests that users should fetch the jquery files from other packages of the RHEL-7 repos and maintain it on their own. This seems to be the case for Beaker, since jquery-2.0.2.min.js comes from the Beaker server package:

[root@<fqdn> javascript]# rpm -qf /usr/share/bkr/server/static/javascript/jquery-2.0.2.min.js 
beaker-server-28.2-1.el7.noarch

ACTUAL BEHAVIOR
Beaker vulnerable to XSS.

EXPECTED BEHAVIOR
Beaker should not be vulnerable to XSS.

ADDITIONAL CONTEXT
At first, I gave it a try on patching our forked beaker to use jquery-3.5.1.min.js file (fetched from java-latest-openjdk-javadoc-18.0.1.0.10-2.rolling.el7 rpm) instead of the jquery-2.0.2.min.js and by also changing the widgets.py file:

--- a/Server/bkr/server/widgets.py
+++ b/Server/bkr/server/widgets.py
@@ -155,7 +155,7 @@ def update_params(self, d):
         d['urls'] = [url(u) for u in bundle.urls()]


-jquery = LocalJSLink('bkr', '/static/javascript/jquery-2.0.2.min.js',
+jquery = LocalJSLink('bkr', '/static/javascript/jquery-3.5.1.min.js',
         order=1) # needs to come after MochiKit
 beaker_js = LocalJSBundleLink('js', order=5)
 beaker_css = LocalCSSBundleLink('css')

The Beaker server and services started normally, but I noticed that the top bar of the interface does not work anymore -> instead of being forwarded to something like https://<beaker.fqdn>/jobs the UI gets stuck,on https://<beaker.fqdn>/# . Other than this, basic stuff seems fine and I was able to edit options and even provision a system through a job.

Since the last commit on this topic ( b5e7c42 ) also updated jquery-ui, I gave it a try by also fetching jquery-ui-1.11.2.min.js from phpMyAdmin-4.4.15.10-6.el7 rpm and updating the widgets.py file accordingly.

I am attaching both patches I tried on this venture. Also, this is how I was finding the js files:

[root@<fqdn> ~]# yum whatprovides *jquery-ui*.min.js | grep Filename
Filename    : /usr/share/RackTables/static/js/jquery-ui-1.8.21.min.js
Filename    : /usr/lib/python2.7/site-packages/reviewboard/static/lib/js/jquery-ui-1.8.24.custom.min.js
Filename    : /usr/lib/python2.7/site-packages/reviewboard/htdocs/static/lib/js/jquery-ui-1.8.24.custom.min.js
Filename    : /usr/share/bkr/server/static/javascript/jquery-ui-1.9.2.min.js
...

Where are the jquery and jquery-ui files on the beaker server rpm fetched from? Are they different from their original version? Not much of a js expert here :-P

Thanks in advance for any help on this :-)

0023-beaker-updating-jquery-min-js-to-fix-multiple-XSS-vu.v1.patch.txt
0023-beaker-updating-jquery-min-js-to-fix-multiple-XSS-vu.v2.patch.txt

[desnesn]

We tried using jquery_migrate ... which at first seemed to have bypassed the issue, however, it break ssh adding as follows:

0023-beaker-updating-jquery-min-js-to-fix-multiple-XSS-vu.patch.txt