[jira] (AMQ-9536) [[Security] CVE-2020-27511 fix needed for activemq-osgi-5.17.6 and strudl.0.3.13

Mon, 16 Sep 2024 19:49:08 -0700 


    [ https://issues.apache.org/jira/browse/AMQ-9536 ]


    Paul Anand deleted comment on AMQ-9536:
    ---------------------------------

was (Author: JIRAUSER306015):
* The Prototype.js library is no longer maintained (see 
[https://github.com/prototypejs/prototype/issues/363)]
 * A PR is open to address CVE-2020-27511 
([https://github.com/prototypejs/prototype/pull/349)]
 * However, the maintainers of the project mentioned that the project is not 
maintained and have encouraged users to apply the fix 
([https://github.com/prototypejs/prototype/pull/349#issuecomment-1654970930]) 
manually

 

> [[Security] CVE-2020-27511 fix needed for activemq-osgi-5.17.6 and 
> strudl.0.3.13
> --------------------------------------------------------------------------------
>
>                 Key: AMQ-9536
>                 URL: https://issues.apache.org/jira/browse/AMQ-9536
>             Project: ActiveMQ Classic
>          Issue Type: Bug
>          Components: Security/JAAS
>    Affects Versions: 5.17.6
>            Reporter: Abhijit Rajwade
>            Priority: Major
>
> Description
> CVE-2020-27511 fix needed for activemq-osgi-5.17.6 and strudl.0.3.13
> Description :
> Severity : CVE CVSS 3: 7.5Sonatype CVSS 3: 7.5
> Weakness : Sonatype CWE: 400
> Source : National Vulnerability Database
> Categories : Data
> Description from CVE : An issue was discovered in the stripTags and 
> unescapeHTML components in Prototype 1.7.3 where an attacker can cause a 
> Regular Expression Denial of Servicethrough stripping crafted HTML tags.
> Explanation : The prototype package is vulnerable to Regular Expression 
> Denial of Service [ReDoS] attacks. The stripTags[] function in the String.js 
> file used to unescape HTML fails to efficiently parse and remove tags within 
> a given string. An attacker can exploit this vulnerability by submitting a 
> crafted code block which, when parsed by the affected function, will exhaust 
> system resources and trigger a DoS condition.
> Detection : The application is vulnerable by using this component.
> Recommendation : There is no non-vulnerable upgrade path for this 
> component/package. We recommend investigating alternative components or a 
> potential mitigating control.
> Root Cause : activemq-osgi-5.17.6.jarorg/apache/activemq/web/prototype.js : [ 
> , ]
> Advisories : Attack: https://github.com/AlyxRen/prototype.node.js
> CVSS Details : CVE CVSS 3: 7.5CVSS Vector: 
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> CVE : CVE-2020-27511
> URL : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511
> Remediation : This component does not have any non-vulnerable Version. Please 
> contact the vendor to get this vulnerability fixed.
> ===
> Description :
> Severity : CVE CVSS 3: 7.5Sonatype CVSS 3: 7.5
> Weakness : Sonatype CWE: 400
> Source : National Vulnerability Database
> Categories : Data
> Description from CVE : An issue was discovered in the stripTags and 
> unescapeHTML components in Prototype 1.7.3 where an attacker can cause a 
> Regular Expression Denial of Servicethrough stripping crafted HTML tags.
> Explanation : The prototype package is vulnerable to Regular Expression 
> Denial of Service [ReDoS] attacks. The stripTags[] function in the String.js 
> file used to unescape HTML fails to efficiently parse and remove tags within 
> a given string. An attacker can exploit this vulnerability by submitting a 
> crafted code block which, when parsed by the affected function, will exhaust 
> system resources and trigger a DoS condition.
> Detection : The application is vulnerable by using this component.
> Recommendation : There is no non-vulnerable upgrade path for this 
> component/package. We recommend investigating alternative components or a 
> potential mitigating control.
> Root Cause : strudl.0.3.13 : [ , ]
> Advisories : Attack: https://github.com/AlyxRen/prototype.node.js
> CVSS Details : CVE CVSS 3: 7.5CVSS Vector: 
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> CVE : CVE-2020-27511
> URL : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511
> Remediation : This component does not have any non-vulnerable Version. Please 
> contact the vendor to get this vulnerability fixed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact

Reply via email to