Santiago Florez (Sep 20 2024 at 21:31): Santiago Florez (Sep 20 2024 at 21:31):Hi all. I would like to propose an issue that I found running a website security test to my Dataverse. It is related with components jquery ui, bootstrap, jquery and owlcarousel.
image.png
Philip Durbin ๐ (Sep 20 2024 at 21:36):@Santiago Florez huh, interesting. You're saying you'd like a fix for all this in 6.4? We're planning to release soon, maybe even Thursday (we'll see).
Santiago Florez (Sep 20 2024 at 22:39):Yeaahh, it'll be interesting, I could collaborate :).
Santiago Florez (Sep 20 2024 at 22:44):I have configured some Dataverse instances. I have a good knowledge about Dataverse system
Philip Durbin ๐ (Sep 20 2024 at 22:50):@Santiago Florez ok, could you start by emailing security@dataverse.org please?
Santiago Florez (Sep 20 2024 at 22:55):sure, about what?
Philip Durbin ๐ (Sep 20 2024 at 23:28):About those CVEs.
Oliver Bertuch (Sep 21 2024 at 05:46):I might have mentioned it before: there are Maven packages for these dependencies, which might make it easier to update them regularly, because you don't have to bundle them manually. https://www.baeldung.com/maven-webjars
Oliver Bertuch (Sep 21 2024 at 05:57):And we probably should move this discussion to #security :grinning_face_with_smiling_eyes:
Notification Bot (Sep 21 2024 at 12:20):9 messages were moved here from #community > Release 6.4 Proposals by Philip Durbin ๐.
Philip Durbin ๐ (Sep 21 2024 at 12:21):Sure, moved, but I still wonder about this security channel. Please see #security > discuss security elsewhere?
Oliver Bertuch (Sep 21 2024 at 12:29):You're right. Maybe we should make this not web public. Or even invite only. We probably could create a Github action that will invite someone to the channel once an admin approves a request in a GH issue.
For the topic at hand: the CVE found ist 4.1, low risk if at all. The others are just outdated warnings. Should be fine to discuss this in the open.
Philip Durbin ๐ (Sep 21 2024 at 12:31):Ok, good. But let's take the meta discussion to #security > discuss security elsewhere? please. :grinning:
Jeyalakshmi Sambasivam (Sep 19 2025 at 08:16):Hi all!
This is Jeya from NTU Singapore. Currently we are at dataverse v.5.12.1. We also encountered the CVE-2022-31160 vulnerability finding reported by security scan. Till dataverse v6.7.1, I see that primefaces v11.0.0 containing jquery UI v1.13 is only used. Can please share what is the progress of this discussion and your thoughts on how to mitigate this issue?
image.png
Oliver Bertuch (Sep 19 2025 at 08:58):Hi @Jeyalakshmi Sambasivam ! A lot of effort is currently put into moving away from JSF and PrimeFaces towards using a new frontend built in React. We try to not put too much effort into the "old" JSF frontend. That said, this security issue might be qualified for something we should look at.
Of course it would be a lot easier when the community steps up and helps out. From a quick look at https://github.com/primefaces/primefaces I see that there's now Primefaces v15. Would you feel up to the task of migrating Dataverse's JSF UI to this newer version? In the past, we had some bad experience with breaking changes between their major versions, so it might escalate quickly. Or not. Who knows...
We're of course happy to guide you along the process of developing, testing and creating a contribution.
Oliver Bertuch (Sep 19 2025 at 09:08):I see they updated to jQuery UI 1.13.2 in v12, 1.13.3 in v14 and 1.14 in v15. Looking at https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 it seems upgrading from v11 to v12 would already fix this particular CVE-2022-31160.
So this might be worth a shot. In their migration guide 11 to 12 they don't list any breaking changes. Could actually be a simple thing to do, but will require thorough testing.
Oliver Bertuch (Sep 19 2025 at 09:10):@Santiago Florez as the one who brought this up initially - would you be able to step up?
Philip Durbin ๐ (Sep 19 2025 at 13:54):I've said this before, but PrimeFaces is not a good choice for an open source project. To include PrimeFaces in your open source project, you must use the major release (e.g. 7.0) and you can't use versions with bug fixes (e.g. 7.0.8).
Jeyalakshmi Sambasivam (Sep 22 2025 at 09:58):Hi Oliver Bertuch and @Philip Durbin ๐ , thank you very much for your suggestions. As we are quite behind at dataverse versions, we plan to focus on upgrading to higher versions first and then try the options suggested by @Oliver Bertuch to avoid rework.
Last updated: Nov 01 2025 at 14:11 UTC