[
https://issues.apache.org/jira/browse/ARTEMIS-3971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600906#comment-17600906
]
ASF subversion and git services commented on ARTEMIS-3971:
----------------------------------------------------------
Commit 66ac39eb8157414af7b05c3a59e1bc493daf4be6 in activemq-artemis's branch
refs/heads/main from Robbie Gemmell
[ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=66ac39eb81 ]
ARTEMIS-3971: set -noindex to exclude various .js files from javadoc output
> remove vulnerable .js deps from javadoc output - jQuery, jQuery UI, jszip
> -------------------------------------------------------------------------
>
> Key: ARTEMIS-3971
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3971
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: API
> Affects Versions: 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.23.1, 2.24.0, 2.25.0
> Reporter: Jakub Moravec
> Assignee: Robbie Gemmell
> Priority: Major
> Fix For: 2.26.0
>
>
> Following https://openjdk.org/jeps/225), the javadoc output on JDK9+ has
> included a search box. To enable this various javascript files and a zipped
> index are included in the javadoc output. This means they were introduced to
> the once the project required Java 11, i.e from 2.20.0, as previously Java 8
> was used to run the release builds. These files are of whatever version the
> JDK used to run the build has included, and can tend to get stale.
> Setting the -noindex option when building the javadoc removes the search, so
> we can add this option and remove the need to deal with these files doing
> stale in future.
> ==== Original report =====
> Please upgrade the listed libraries, as there are reported vulnerabilities
> for them, see the list below. This is a blocker for production deployments.
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358]
> {quote}jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
> products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
> pollution. If an unsanitized source object contained an enumerable
> _{_}proto{_}_ property, it could extend the native Object.prototype.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022]
> {quote}In jQuery versions greater than or equal to 1.2 and before 3.5.0,
> passing HTML from untrusted sources - even after sanitizing it - to one of
> jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may
> execute untrusted code. This problem is patched in jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023]
> {quote}In jQuery versions greater than or equal to 1.0.3 and before 3.5.0,
> passing HTML containing <option> elements from untrusted sources - even after
> sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(),
> .append(), and others) may execute untrusted code. This problem is patched in
> jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160]
> {quote}jQuery UI is a curated set of user interface interactions, effects,
> widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are
> potentially vulnerable to cross-site scripting. Initializing a checkboxradio
> widget on an input enclosed within a label makes that parent label contents
> considered as the input label. Calling `.checkboxradio( "refresh" )` on such
> a widget and the initial HTML contained encoded HTML entities will make them
> erroneously get decoded. This can lead to potentially executing JavaScript
> code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue,
> someone who can change the initial HTML can wrap all the non-input contents
> of the `label` in a `span`.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23413]
> {quote}This affects the package jszip before 3.7.0. Crafting a new zip file
> with filenames set to Object prototype values (e.g _{_}proto{_}_, toString,
> etc) results in a returned object with a modified prototype instance.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
