[
https://issues.apache.org/jira/browse/ARTEMIS-3971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600774#comment-17600774
]
Justin Bertram commented on ARTEMIS-3971:
-----------------------------------------
To remove any manuals just remove the directory which contains it (e.g.
{{user-manual}}, {{hacking-guide}}, etc.). To remove the examples just remove
the {{examples}} directory. To remove the JavaDoc just remove the {{api}}
directory. If you remove the entire {{web}} directory then you'll also remove
the web console which may be fine for your use-case, but it's often used in
production so you may not want to remove it.
> Upgrade vulnerable javascript dependencies - jQuery, jQuery UI, jszip
> ---------------------------------------------------------------------
>
> Key: ARTEMIS-3971
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3971
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: API
> Affects Versions: 2.24.0
> Reporter: Jakub Moravec
> Priority: Critical
>
> Please upgrade the listed libraries, as there are reported vulnerabilities
> for them, see the list below. This is a blocker for production deployments.
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358]
> {quote}jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
> products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
> pollution. If an unsanitized source object contained an enumerable
> _{_}proto{_}_ property, it could extend the native Object.prototype.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022]
> {quote}In jQuery versions greater than or equal to 1.2 and before 3.5.0,
> passing HTML from untrusted sources - even after sanitizing it - to one of
> jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may
> execute untrusted code. This problem is patched in jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023]
> {quote}In jQuery versions greater than or equal to 1.0.3 and before 3.5.0,
> passing HTML containing <option> elements from untrusted sources - even after
> sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(),
> .append(), and others) may execute untrusted code. This problem is patched in
> jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160]
> {quote}jQuery UI is a curated set of user interface interactions, effects,
> widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are
> potentially vulnerable to cross-site scripting. Initializing a checkboxradio
> widget on an input enclosed within a label makes that parent label contents
> considered as the input label. Calling `.checkboxradio( "refresh" )` on such
> a widget and the initial HTML contained encoded HTML entities will make them
> erroneously get decoded. This can lead to potentially executing JavaScript
> code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue,
> someone who can change the initial HTML can wrap all the non-input contents
> of the `label` in a `span`.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23413]
> {quote}This affects the package jszip before 3.7.0. Crafting a new zip file
> with filenames set to Object prototype values (e.g _{_}proto{_}_, toString,
> etc) results in a returned object with a modified prototype instance.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
