Share via

Addressing security vulnerabilities in ReportViewerWebControl.axd dependencies

Shende1, Pankaj 0 Reputation points
2024-10-09T14:26:02.7066667+00:00

Hello Microsoft community,

We're using the ReportViewerWebControl.axd(Version=15.0.0.0) in our application and have identified potential security vulnerabilities in its dependencies, specifically outdated versions of jQuery and Knockout. Our security scan has flagged the following issues:

  1. jQuery (versions 2.1.1 and 3.3.1):
    • Multiple CVEs including CVE-2015-9251, CVE-2019-11358, CVE-2020-11023, and CVE-2020-11022
    • End-of-life status for jQuery 1.x and 2.x
    Knockout (version 3.2.0):
    • CVE-2019-14862

As ReportViewerWebControl.axd is a Microsoft-controlled component, we cannot directly update these dependencies. We're seeking guidance on:

  1. Is Microsoft aware of these vulnerabilities in the control?
  2. Are there plans to update the dependencies in ReportViewerWebControl.axd?
  3. Can you recommend any mitigation strategies we can implement without modifying the control itself?
  4. Is there a way to override or replace the vulnerable scripts while still using the control?

Any insights or recommendations would be greatly appreciated. We're committed to maintaining the security of our application and would like to address these vulnerabilities as effectively as possible.

Thank you for your assistance.

ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,510 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Albert Kallal 5,256 Reputation points
    2024-10-09T17:32:16.8833333+00:00

    You could try upgrading (nuget) to the latest edition. While the reference shows 15.0.0.0, if you look close at the reference for that viewer, you find this version:

    User's image

    So, I see 150.1652.0. And it looks to be using jQuery 3.6. So, consider updating the report viewer control, as it should be using at least jQuery 3.6. Can't comment on the other issues, but try updating the report viewer control.

    0 comments
  2. SurferOnWww 3,201 Reputation points
    2024-10-11T01:35:04.3233333+00:00

    As ReportViewerWebControl.axd is a Microsoft-controlled component, we cannot directly update these dependencies.

    The ReportViewerWebControl.axd is only HTTP handler which is used to download external JavaScript files. See the following image which shows the html source of ReprtViwer page:

    enter image description here

    Since The ReportViewerWebControl.axd is only HTTP handler, I don't think that there is potential security vulnerabilities in the ReportViewerWebControl.axd itself.

    As you can see the above html source, the ReportViewerWebControl.axd downloads the jquery.min.js and knockout.js.

    Check the versions of the jquery.min.js and knockout.js in your environment. You will be able to see the source code of JavaScript files by clicking the ReportViewerWebControl.axd in the above html source as shown below:

    enter image description here

    enter image description here

    The above is the results of the ReportViewer latest version 15.0.1652. I guess that your issue will be solved when you use the ReportViewer latest version 15.0.1652.

    0 comments
  3. SurferOnWww 3,201 Reputation points
    2024-10-11T01:36:25.9533333+00:00

    deleted because duplicated

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.