[
https://issues.apache.org/jira/browse/ARTEMIS-3971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600879#comment-17600879
]
Robbie Gemmell commented on ARTEMIS-3971:
-----------------------------------------
Ill be removing the jquery etc bits shortly with -noindex on the javadoc build.
We can discuss seperately removing the javadoc as a whole.
> Upgrade vulnerable javascript dependencies - jQuery, jQuery UI, jszip
> ---------------------------------------------------------------------
>
> Key: ARTEMIS-3971
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3971
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: API
> Affects Versions: 2.24.0
> Reporter: Jakub Moravec
> Priority: Critical
>
> Please upgrade the listed libraries, as there are reported vulnerabilities
> for them, see the list below. This is a blocker for production deployments.
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358]
> {quote}jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
> products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
> pollution. If an unsanitized source object contained an enumerable
> _{_}proto{_}_ property, it could extend the native Object.prototype.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022]
> {quote}In jQuery versions greater than or equal to 1.2 and before 3.5.0,
> passing HTML from untrusted sources - even after sanitizing it - to one of
> jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may
> execute untrusted code. This problem is patched in jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023]
> {quote}In jQuery versions greater than or equal to 1.0.3 and before 3.5.0,
> passing HTML containing <option> elements from untrusted sources - even after
> sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(),
> .append(), and others) may execute untrusted code. This problem is patched in
> jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160]
> {quote}jQuery UI is a curated set of user interface interactions, effects,
> widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are
> potentially vulnerable to cross-site scripting. Initializing a checkboxradio
> widget on an input enclosed within a label makes that parent label contents
> considered as the input label. Calling `.checkboxradio( "refresh" )` on such
> a widget and the initial HTML contained encoded HTML entities will make them
> erroneously get decoded. This can lead to potentially executing JavaScript
> code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue,
> someone who can change the initial HTML can wrap all the non-input contents
> of the `label` in a `span`.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23413]
> {quote}This affects the package jszip before 3.7.0. Crafting a new zip file
> with filenames set to Object prototype values (e.g _{_}proto{_}_, toString,
> etc) results in a returned object with a modified prototype instance.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
