DocumentationCommerceCommerce KB

JQuery UI security vulnerability CVE-2022-31160 fix for 2.4.4, 2.4.5, and 2.4.6 releases

Last update: Fri Feb 16 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Developer

There is a security vulnerability CVE-2022-31160 reported for jQuery-UI library version 1.13.1 which is used as a dependency in Adobe Commerce 2.4.4, 2.4.5, and 2.4.6. Adobe is not aware of any exploits for this issue. This security vulnerability has been fixed in jQuery-UI library version 1.13.2.

In June 2023 Adobe released 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4 security-only patches where jQuery-UI library dependency was upgraded to the latest 1.13.2 version. However, you must apply one of the two patches attached to this article, for a complete fix.

The main jQuery-UI file was upgraded but there were jQuery-UI supplemental module and widget files that were not upgraded. If you are using Adobe Commerce 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4 or earlier versions, your security scanners might still observe the jQuery-UI CVE issue.

Attached to this article are two patches, one for 2.4.6 versions and 2.4.5 versions, and another one for 2.4.4 versions, which provide complete upgrade of JQuery-UI library to version 1.13.2.

This issue is going to be fixed in the scope of October 2023 release security patches 2.4.6-p3, 2.4.5-p5, or 2.4.4-p6.

Affected products and versions

  • Adobe Commerce, on-premises, and Magento Open Source:

    • 2.4.4
    • 2.4.4-p1
    • 2.4.4-p2
    • 2.4.4-p3
    • 2.4.4-p4
    • 2.4.4-p5
    • 2.4.5
    • 2.4.5-p1
    • 2.4.5-p2
    • 2.4.5-p3
    • 2.4.5-p4
    • 2.4.6
    • 2.4.6-p1
    • 2.4.6-p2

Solution

Refer to How to apply a composer patch provided by Adobe before downloading the appropriate Composer patch for the version you have:

For 2.4.6-p2, 2.4.6-p1, 2.4.5-p4 and 2.4.5-p3 versions:

To resolve this security vulnerability on the 2.4.6-p2, 2.4.6-p1, 2.4.5-p4 and 2.4.5-p3 versions, apply a composer patch AC-9260_2.4.6-p2_2.4.6-p1_2.4.5-p4_2.4.5-p3.patch.

For 2.4.6, 2.4.5-p2, 2.4.5-p1, 2.4.5, 2.4.4-p3, 2.4.4-p2, 2.4.4-p1, and 2.4.4 versions:

To resolve this security vulnerability on 2.4.6, 2.4.5-p2, 2.4.5-p1, 2.4.5, 2.4.4-p3, 2.4.4-p2, 2.4.4-p1, and 2.4.4, upgrade to a corresponding 2.4.6-p2, 2.4.5-p4 or 2.4.4-p5 security-only patches and apply a composer patch AC-9260_2.4.6-p2_2.4.6-p1_2.4.5-p4_2.4.5-p3.patch or composer patch AC-9260_2.4.4-p5_2.4.4-p4.patch depending on your Adobe Commerce version.

For 2.4.4-p4 and 2.4.4-p5 versions:

To resolve this security vulnerability on the 2.4.4-p4 and 2.4.4-p5 version, apply a composer patch AC-9260_2.4.4-p5_2.4.4-p4.patch.

recommendation-more-help
8bd06ef0-b3d5-4137-b74e-d7b00485808a