Blue imp vulnerability 

Issue date: 13-12-2021
Affects versions: 14.6, 13.4, 12.6

Security Issue ID

SECURITY-256

 

Affected Product Version(s)

14.6.3 and previous releases.

Severity 

critical

 

Description

NPM-4961

 
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0Unscored: * Severity: critical

References: * Advisory 4961: High severity vulnerability that affects blueimp-file-upload - - https://nvd.nist.gov/vuln/detail/CVE-2018-9206 - https://github.com/advisories/GHSA-4cj8-g9cp-v5wr

 

Vulnerable Software & Versions (NPM):

• cpe:2.3:a::blueimp-file-upload:\<\=9.22.0:::::::

 

Patches

The problem has been recognized and patched. The fix will be available in version 9.22.1.

Bloomreach has updated to the latest version 9.34.0 which is no longer vulnerable.

 

Instructions

Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.