JQuery UI security vulnerability CVE-2022-31160 fix for 2.4.4, 2.4.5, and 2.4.6 releases
There is a security vulnerability reported for jQuery-UI library version 1.13.1 which is used as a dependency in ÃÛ¶¹ÊÓƵ Commerce 2.4.4, 2.4.5, and 2.4.6. ÃÛ¶¹ÊÓƵ is not aware of any exploits for this issue. This security vulnerability has been fixed in jQuery-UI library version 1.13.2.
In June 2023 ÃÛ¶¹ÊÓƵ released 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4 security-only patches where jQuery-UI library dependency was upgraded to the latest 1.13.2 version. However, you must apply one of the two patches attached to this article, for a complete fix.
The main jQuery-UI file was upgraded but there were jQuery-UI supplemental module and widget files that were not upgraded. If you are using ÃÛ¶¹ÊÓƵ Commerce 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4 or earlier versions, your security scanners might still observe the jQuery-UI CVE issue.
Attached to this article are two patches, one for 2.4.6 versions and 2.4.5 versions, and another one for 2.4.4 versions, which provide complete upgrade of JQuery-UI library to version 1.13.2.
This issue is going to be fixed in the scope of October 2023 release security patches 2.4.6-p3, 2.4.5-p5, or 2.4.4-p6.
Affected products and versions
-
ÃÛ¶¹ÊÓƵ Commerce, on-premises, and Magento Open Source:
- 2.4.4
- 2.4.4-p1
- 2.4.4-p2
- 2.4.4-p3
- 2.4.4-p4
- 2.4.4-p5
- 2.4.5
- 2.4.5-p1
- 2.4.5-p2
- 2.4.5-p3
- 2.4.5-p4
- 2.4.6
- 2.4.6-p1
- 2.4.6-p2
Solution
Refer to How to apply a composer patch provided by ÃÛ¶¹ÊÓƵ before downloading the appropriate Composer patch for the version you have:
For 2.4.6-p2, 2.4.6-p1, 2.4.5-p4 and 2.4.5-p3 versions:
To resolve this security vulnerability on the 2.4.6-p2, 2.4.6-p1, 2.4.5-p4 and 2.4.5-p3 versions, apply a composer patch AC-9260_2.4.6-p2_2.4.6-p1_2.4.5-p4_2.4.5-p3.patch.
For 2.4.6, 2.4.5-p2, 2.4.5-p1, 2.4.5, 2.4.4-p3, 2.4.4-p2, 2.4.4-p1, and 2.4.4 versions:
To resolve this security vulnerability on 2.4.6, 2.4.5-p2, 2.4.5-p1, 2.4.5, 2.4.4-p3, 2.4.4-p2, 2.4.4-p1, and 2.4.4, upgrade to a corresponding 2.4.6-p2, 2.4.5-p4 or 2.4.4-p5 security-only patches and apply a composer patch AC-9260_2.4.6-p2_2.4.6-p1_2.4.5-p4_2.4.5-p3.patch or composer patch AC-9260_2.4.4-p5_2.4.4-p4.patch depending on your ÃÛ¶¹ÊÓƵ Commerce version.
For 2.4.4-p4 and 2.4.4-p5 versions:
To resolve this security vulnerability on the 2.4.4-p4 and 2.4.4-p5 version, apply a composer patch AC-9260_2.4.4-p5_2.4.4-p4.patch.